CVE-2022-26500 — Veeam Backup & Replication

known ransomware use

Veeam Backup & Replication Remote Code Execution Vulnerability

Added to KEV

2022-12-13

Federal due date

2023-01-03

Vendor

Veeam

Product

Backup & Replication

EPSS

95.5th percentile (score 0.190, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2022-26500

CISA short description

The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.

Required action

Apply updates per vendor instructions.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.