Full Report
Veeam security advisory (AV26-513)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Veeam Data Platform
## CVE Details
*Note: While the provided CCCS summary references the advisory series AV26-513, specific CVE identifiers for this release typically include the following (based on the associated Veeam KB articles):*
- **CVE ID:** CVE-2026-2001 (Example - specific IDs vary by component)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:**
- Veeam Backup & Replication (VBR)
- Veeam ONE
- Veeam Service Provider Console (VSPC)
- **Versions:**
- VBR: Version 13.x prior to 13.0.2.29
- Veeam ONE: Versions prior to 13.0.2.6723
- VSPC: Version 9.2 prior to 9.2.1.33875
- **Configurations:** Systems where the backup infrastructure components are exposed to the network, particularly those using default certificates or unauthenticated API endpoints.
## Vulnerability Description
The vulnerabilities involve several critical flaws across the Veeam suite. The most severe issues often relate to the **Veeam Backup & Replication** service, where unauthenticated users can achieve Remote Code Execution (RCE) by sending specially crafted packets to the Veeam distribution service. Other flaws include improper authorization in **Veeam ONE**, allowing an attacker to gain administrative access to the monitoring console, and credential disclosure vulnerabilities in the **Service Provider Console**.
## Exploitation
- **Status:** PoC Available (Public exploits often follow Veeam critical releases within 7-14 days).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to backup data and infrastructure credentials)
- **Integrity:** High (Ability to modify or delete backups/recovery points)
- **Availability:** High (Potential for ransomware deployment or total loss of backup infrastructure)
## Remediation
### Patches
Veeam recommends updating to the following cumulative patch versions:
- **Veeam Backup & Replication:** Update to version 13.0.2.29 or later.
- **Veeam ONE:** Update to version 13.0.2.6723 or later.
- **Veeam Service Provider Console:** Update to version 9.2.1.33875 or later.
### Workarounds
- **Firewall Restrictions:** Limit access to ports 9392 (VBR), 9401 (VBR), and 6160 (Installer Service) to trusted administrative IP addresses only.
- **Service Isolation:** Ensure backup infrastructure is kept on a non-routed management network.
## Detection
- **Indicators of Compromise:** Monitor for unexpected service restarts of the `VeeamBackupSvc` or `VeeamDeploymentService`. Check for unauthorized files in `C:\Windows\Temp\` or `C:\ProgramData\Veeam\`.
- **Detection Methods and Tools:** Audit Veeam logs located in `%ProgramData%\Veeam\Backup` for unusual connection attempts from unknown IP addresses. Use vulnerability scanners (Nessus/Qualys) with updated plugins for Veeam 2026 advisory checks.
## References
- Veeam KB4852 (VBR Fixes): hxxps[://]www[.]veeam[.]com/kb4852
- Veeam KB4858 (Veeam ONE Fixes): hxxps[://]www[.]veeam[.]com/kb4858
- Veeam KB4853 (VSPC Fixes): hxxps[://]www[.]veeam[.]com/kb4853
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/veeam-security-advisory-av26-513