Veeam announced patches for critical vulnerabilities impacting Veeam Backup & Replication, a backup solution for virtual environments and Veeam Agent for Microsoft Windows, Windows data backup software. Two critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) found in Veeam Backup & Replication may allow an unauthorized attacker to perform Remote Code Execution (RCE) and gain control over the target system. The vulnerable product versions are 9.5, 10, and 11. Patches are included in the following Veeam Backup & Replication versions: 11a (build 11.0.1.1261 P20220302), 10a (build 10.0.1.4854 P20220304).

Security updates also address two high-severity vulnerabilities. Tracked as CVE-2022-26504, the first of them impacts the component used for Microsoft System Center Virtual Machine Manager (SCVMM), and could lead to remote code execution. The second of them, CVE-2022-26503, impacts Veeam Agent for Microsoft Windows and could be exploited to elevate privileges and run arbitrary code with LOCAL SYSTEM privileges. CVE-2022-26503 vulnerability is fixed in the following Veeam Agent for Microsoft Windows patched releases: 5 (build 5.0.3.4708), 4 (build 4.0.2.2208).

Source: securityweek.com