CVE-2022-26500 – CVE-2022-26500 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2022-26500?

CVE-2022-26500 has a CVSS score of 8.8 (HIGH). CVE-2022-26500 is a path traversal vulnerability in Veeam Backup & Replication that allows authenticated remote attackers to access internal API functions. This enables them to upload and execute arbitrary code on affected systems. Organizations using Veeam Backup & Replication versions 9.5U3 through 11.x are vulnerable.

📋 TL;DR

CVE-2022-26500 is a path traversal vulnerability in Veeam Backup & Replication that allows authenticated remote attackers to access internal API functions. This enables them to upload and execute arbitrary code on affected systems. Organizations using Veeam Backup & Replication versions 9.5U3 through 11.x are vulnerable.

💻 Affected Systems

Products:

Veeam Backup & Replication

Versions: 9.5U3, 9.5U4, 10.x, and 11.x

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the Veeam Backup & Replication server

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to ransomware deployment, data exfiltration, or lateral movement across the network

🟠

Likely Case

Backup server compromise allowing attackers to access sensitive backup data and potentially deploy malware

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent access to vulnerable components

🌐 Internet-Facing: HIGH - If Veeam Backup & Replication is exposed to the internet, attackers can exploit this remotely

🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts can exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Veeam Backup & Replication 11a (11.0.1.1261) and later

Vendor Advisory: https://www.veeam.com/kb4288

Restart Required: Yes

Instructions:

1. Download the latest cumulative patch from Veeam's website. 2. Apply the patch to all Veeam Backup & Replication servers. 3. Restart the Veeam Backup Service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Veeam Backup & Replication servers to only authorized management networks

Authentication Hardening

all

Implement multi-factor authentication and strong password policies for Veeam administrative accounts

🧯 If You Can't Patch

Isolate Veeam Backup & Replication servers from the internet and restrict internal access using firewall rules
Implement strict monitoring and alerting for unusual API calls or file uploads to Veeam servers

🔍 How to Verify

Check if Vulnerable:

Check Veeam Backup & Replication version in the console or via PowerShell: Get-VBRVersion

Check Version:

Get-VBRVersion (PowerShell) or check Help > About in Veeam console

Verify Fix Applied:

Verify version is 11.0.1.1261 or later, or check that patch KB4288 is installed

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to Veeam services
Unexpected file uploads to Veeam server paths
Authentication attempts from unusual sources

Network Indicators:

Unusual traffic to Veeam Backup Service ports (9392/TCP, 9393/TCP)
HTTP requests to internal Veeam API endpoints

SIEM Query:

source="veeam*" AND (event_type="api_call" OR event_type="file_upload") AND NOT user IN ["authorized_users"]

📊 Metadata

CVE ID: CVE-2022-26500

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 17, 2022

Last Updated: November 3, 2025

🔗 References

https://veeam.com Vendor Advisory
https://www.veeam.com/kb4288 Vendor Advisory
https://veeam.com Vendor Advisory
https://www.veeam.com/kb4288 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26500, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

Veeam Backup \& Replication by Veeam

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Authentication Hardening

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities