Researchers discovered numerous vulnerabilities affecting the Veeam Backup & Replication application that could be exploited by advertising fully weaponized tools for RCE.
Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication: CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8 and CVE-2022-26504 with a CVSS V3 score of 8.8.
The successful exploitation can lead to copying files within the boundaries of the locale or from a remote Server Message Block network, RCE without authorization or RCE/LPE without authorization.
Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors. The application not only backs up and recovers virtual machines (VMs) but can also be used to protect and restore individual files and applications for environments such as Exchange and SharePoint.
As for attribution, researchers said malware named Veeamp was found in the wild and used by the Monti and Yanluowang ransomware groups to dump credentials from an SQL database for Veeam backup management software.
The company has also found a GitHub repository named veeam-creds that contained scripts for recovering passwords from the Veeam Backup & Replication credential manager alongside three malicious files. This was patched in the 126.96.36.1991 version of its software.
This research was documented by researchers from CloudSEK.