← Back to CVEs
CVE-2022-26500
HIGHCISA KEV8.8
Description
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published3/17/2022
Last Modified11/3/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorVeeam
ProductBackup & Replication
Vulnerability NameVeeam Backup & Replication Remote Code Execution Vulnerability
KEV Date Added2022-12-13
Remediation Due Date2023-01-03
Ransomware UseKnown
Affected Products
veeam:veeam_backup_\&_replication
Weaknesses (CWE)
CWE-22CWE-22
References
https://veeam.com(cve@mitre.org)
https://www.veeam.com/kb4288(cve@mitre.org)
https://veeam.com(af854a3a-2127-422b-91ae-364da2661108)
https://www.veeam.com/kb4288(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.