Login Sign Up

CVE-2021-27876

8.1 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2021-27876 is an authentication bypass vulnerability in Veritas Backup Exec Agent that allows attackers to gain unauthorized access and execute arbitrary commands with System privileges. This affects Veritas Backup Exec versions before 21.2. Attackers can read arbitrary files on the system after bypassing SHA authentication.

💻 Affected Systems

Products:
  • Veritas Backup Exec
Versions: All versions before 21.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Backup Exec Agent component which communicates with the Backup Exec server. The vulnerability is in the SHA authentication scheme used for agent communication.

📦 What is this software?

Backup Exec by Veritas

View all CVEs affecting Backup Exec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing file access, data exfiltration, and potential ransomware deployment across the backup infrastructure.

🟠

Likely Case

Unauthorized access to sensitive backup data, configuration files, and potential lateral movement within the network using compromised backup credentials.

🟢

If Mitigated

Limited impact if network segmentation isolates backup systems and proper authentication controls are in place.

🌐 Internet-Facing: HIGH - Backup Exec Agents often communicate over networks and could be exposed to internet-based attacks if misconfigured.
🏢 Internal Only: HIGH - Even internally, this allows privilege escalation and lateral movement within enterprise networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Packet Storm. CISA has added this to their Known Exploited Vulnerabilities catalog, indicating active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.2 and later

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS21-001

Restart Required: Yes

Instructions:

1. Download Backup Exec 21.2 or later from Veritas support portal. 2. Install the update on all Backup Exec servers and agents. 3. Restart all Backup Exec services. 4. Verify agent communication is functioning properly.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Backup Exec servers and agents from untrusted networks using firewall rules.

Disable SHA Authentication

windows

Configure Backup Exec to use only TLS authentication for agent communication.

🧯 If You Can't Patch

  • Implement strict network access controls to limit Backup Exec Agent communication to trusted IP addresses only.
  • Monitor for unusual authentication attempts or file access patterns from Backup Exec Agent processes.

🔍 How to Verify

Check if Vulnerable:

Check Backup Exec version in the console: Help > About Backup Exec. If version is below 21.2, the system is vulnerable.

Check Version:

In Backup Exec console: Help > About Backup Exec

Verify Fix Applied:

Verify version is 21.2 or higher and test agent authentication using only TLS protocols.

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful authentication from unusual IPs
  • Unusual file access patterns by Backup Exec Agent service

Network Indicators:

  • Unusual network traffic to Backup Exec Agent port (typically 10000)
  • Authentication attempts bypassing TLS

SIEM Query:

source="backup_exec" AND (event_type="authentication" AND result="success" AND protocol!="TLS") OR (process="bedag.exe" AND file_access="*system*" AND user="SYSTEM")

📊 Metadata

CVE ID: CVE-2021-27876
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: March 1, 2021
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON