CVE-2021-27878 – CVE-2021-27878 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-27878?

CVE-2021-27878 has a CVSS score of 8.8 (HIGH). CVE-2021-27878 is an authentication bypass vulnerability in Veritas Backup Exec's SHA authentication scheme that allows attackers to gain unauthorized access to the agent. Once authenticated, attackers can execute arbitrary commands with system privileges through data management protocol commands. This affects Veritas Backup Exec installations before version 21.2.

📋 TL;DR

CVE-2021-27878 is an authentication bypass vulnerability in Veritas Backup Exec's SHA authentication scheme that allows attackers to gain unauthorized access to the agent. Once authenticated, attackers can execute arbitrary commands with system privileges through data management protocol commands. This affects Veritas Backup Exec installations before version 21.2.

💻 Affected Systems

Products:

Veritas Backup Exec

Versions: All versions before 21.2

Operating Systems: Windows (primary), potentially others running Backup Exec agents

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the communication between Backup Exec server and agents. Both server and agent components may be vulnerable depending on configuration.

📦 What is this software?

Backup Exec by Veritas

View all CVEs affecting Backup Exec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with complete administrative control, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthorized access to backup systems leading to data theft, backup corruption, or deployment of malware on affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing lateral movement and limiting blast radius.

🌐 Internet-Facing: HIGH - If Backup Exec agents are exposed to the internet, attackers can directly exploit this vulnerability without internal access.

🏢 Internal Only: HIGH - Even internally, this vulnerability allows privilege escalation and lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to the Backup Exec agent port (typically 10000/TCP). The vulnerability is in the authentication handshake, allowing bypass of SHA authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.2 and later

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS21-001#issue3

Restart Required: Yes

Instructions:

1. Download Backup Exec 21.2 or later from Veritas support portal. 2. Apply the update to all Backup Exec servers and agents. 3. Restart Backup Exec services. 4. Verify all agents are updated and communicating properly.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Backup Exec agent ports (typically 10000/TCP) to only trusted Backup Exec servers.

Windows Firewall: New-NetFirewallRule -DisplayName "Block BackupExec Agent" -Direction Inbound -LocalPort 10000 -Protocol TCP -Action Block
Linux iptables: iptables -A INPUT -p tcp --dport 10000 -j DROP

Disable SHA Authentication

windows

Configure Backup Exec to use only TLS-based authentication methods instead of SHA authentication scheme.

Backup Exec Console: Tools > Options > Security > Agent Authentication > Disable SHA Authentication

🧯 If You Can't Patch

Implement strict network segmentation to isolate Backup Exec systems from general network traffic
Monitor for unusual authentication attempts or command execution on Backup Exec agent ports

🔍 How to Verify

Check if Vulnerable:

Check Backup Exec version: In Backup Exec console, go to Help > About. If version is below 21.2, system is vulnerable.

Check Version:

Windows: reg query "HKLM\SOFTWARE\Veritas\Backup Exec" /v Version

Verify Fix Applied:

Verify version is 21.2 or higher and test agent communication to ensure authentication is working properly.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful authentication from unusual IPs
Unusual data management protocol commands in Backup Exec logs
System command execution from Backup Exec processes

Network Indicators:

Unusual traffic to Backup Exec agent port (10000/TCP) from non-Backup Exec servers
Authentication bypass patterns in network traffic

SIEM Query:

source="backup_exec.log" AND ("authentication bypass" OR "SHA auth failure" OR "unexpected command")

📊 Metadata

CVE ID: CVE-2021-27878

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: March 1, 2021

Last Updated: November 3, 2025

🔗 References

http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.veritas.com/content/support/en_US/security/VTS21-001#issue3 Vendor Advisory
http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.veritas.com/content/support/en_US/security/VTS21-001#issue3 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27878 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON