Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CISA adds Veeam Backup and Replication bugs to Known Exploited Vulnerabilities Catalog

US CISA added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Veeam Backup & Replication software, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant […]

CISA BlueHammer (CVE-2026-33825)

US CISA added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Veeam Backup & Replication software, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

According to the agency, the Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can exploit the flaw by sending input to the internal API which may lead to arbitrary code execution.

“Multiple vulnerabilities (CVE-2022-26500CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.” reads the advisory published by Veeam.

The flaws impact Backup & Replication product versions 9.5, 10, 11, patches are available for the following versions:

Both issues were discovered by Positive Technologies researcher Nikita Petrov.

“We believe that these vulnerabilities will be exploited in real attacks and will put many organizations at significant risk,” said Nikita Petrov. “That is why it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products.

CISA orders federal agencies to address both vulnerabilities by January 03, 2022.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the following issues to the catalog:

  • CVE-2022-42475 – Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability to address January 03, 2022.
  • CVE-2022-44698 – Microsoft Defender SmartScreen Security Feature Bypass Vulnerability to address January 03, 2022.
  • CVE-2022-27518 – Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability to address January 03, 2022.
  • CVE-2022-42856 – Apple iOS Type Confusion Vulnerability to address January 04, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

[adrotate banner=”5″]

[adrotate banner=”13″]