Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication

Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
Updated on
April 19, 2023
Published on
October 24, 2022
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26500 CVE-2022-26501 CVE-2022-26504 CVSS:3.0 Score: 8.8 to 9.8

Executive Summary

  • Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
  • Threat actors can exploit the vulnerabilities to:
    • Gain initial access
    • Disclose sensitive information
    • Perform DDoS attacks
    • Encrypt the infrastructure with malware
    • Gain privileges and execute arbitrary code remotely
  • Upgrade to P20220302

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
  • Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
    • CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
    • CVE-2022-26504 with a CVSS V3 score of 8.8
  • A successful exploitation of the above-mentioned CVEs can lead to:
    • Copying files within the boundaries of the locale or from a remote SMB network
    • RCE without authorization ('Network Service' rights)
    • RCE/LPE without authorization ('Local System' rights)
[caption id="attachment_21245" align="alignnone" width="1920"]Veeam Backup & Replication Veeam Backup & Replication[/caption]

What is Veeam Backup & Replication?

  • Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
  • In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.

CVEs Exploited By Threat Actors

CVE-2022-26500, CVE-2022-26501

  • Remote Code Execution vulnerability in Veeam Distribution Service
  • The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
  • This component allows threat actors to execute malicious code remotely without authentication.


  • Remote Code Execution vulnerability in Veeam Backup PSManager
  • The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
  • This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.

Information from OSINT

CloudSEK researchers were able to find a GitHub repository named “veeam-creds” with the following specifications:
  • It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
  • The repository had the following 3 files:
    • Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
    • VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
    • - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.

Possible Ransomware Affiliations

  • A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
    • Monti Ransomware
    • Yanluowang Ransomware
  • The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command: select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]
  • The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
    • Username
    • Encrypted Password
    • Decrypted Password
    • Description

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for Veeamp.
veeamp.exe vp.exe
9aa1.exe o_vp.exe
IP Address



[caption id="attachment_21246" align="aligncenter" width="1142"]Veeam Backup & Replication Functionalities Veeam Backup & Replication Functionalities[/caption]   [caption id="attachment_21247" align="aligncenter" width="1677"]RCE Execution RCE Execution[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations