CVE-2021-27877
CVE-2021-27877 is a high-severity vulnerability in Veritas Backup Exec with a CVSS 3.x base score of 8.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-04-07).
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- CVSS v2: 7.5
- EPSS exploit prediction: 65% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-04-07)
- EU (EUVD) id: EUVD-2021-14615
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-04-07)
- Affected product: Veritas Backup Exec
- Published:
- Last modified:
Description
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
CVE-2021-27877: Veritas Backup Exec Legacy SHA Authentication Remote Access Vulnerability
AI-generated analysis based on the vulnerability data on this page.
Summary
Veritas Backup Exec prior to version 21.2 retained a legacy SHA authentication mechanism that was no longer actively used but had not been disabled. A remote attacker could exploit this scheme to authenticate to a Backup Exec Agent without valid credentials and execute privileged commands.
Background
Veritas Backup Exec is a data protection and backup solution widely deployed in enterprise environments to protect virtual, physical, and cloud-based workloads. The product architecture includes Backup Exec Agents installed on target systems that communicate with a central server. Agent-to-server communication relies on authentication to prevent unauthorized command execution.
Root Cause
The root cause of this vulnerability is the failure to disable or remove a deprecated SHA authentication scheme during product updates. Although the authentication scheme was no longer in active use, it remained reachable and functional on affected Agents. This represents an insecure design issue where legacy authentication paths are left accessible rather than explicitly decommissioned. No specific CWE identifier has been assigned in the available data.
Impact
This flaw is rated CVSS 3.1 score of 8.2 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. The network attack vector, low complexity, and lack of required privileges or user interaction mean exploitation is straightforward. The impact is primarily confidentiality (HIGH) and integrity (LOW); availability impact is none under CVSS v3. The CVSS v2 score of 7.5 reflects partial impacts across confidentiality, integrity, and availability. An attacker gaining unauthorized access to a Backup Exec Agent can execute privileged commands, potentially leading to data exfiltration or lateral movement within the backup infrastructure.
Exploitation Walkthrough
From a defensive perspective, exploitation involves a remote attacker targeting the exposed Agent authentication interface and leveraging the legacy SHA scheme to establish a session. The exact technical mechanism involves passing authentication material that the obsolete SHA handler accepts without validating against the current credential store.
Ethics caveat: The following description is provided for defensive awareness only. Organizations should use this information to understand exposure and validate controls, not to attempt unauthorized access.
The attack surface is the Agent listening port on target systems. Because the SHA scheme does not enforce the current authentication policy, an attacker who understands the legacy protocol can submit a request that the Agent interprets as legitimate, granting command execution privileges. No additional exploit code is required beyond crafting a compliant authentication request to the legacy handler.
Affected and Patched Versions
Affected: Veritas Backup Exec versions prior to 21.2.
Patched: Veritas Backup Exec version 21.2 and later. The legacy SHA authentication scheme was disabled in version 21.2.
Remediation
Upgrade to Veritas Backup Exec 21.2 or a later supported version as soon as possible. If immediate patching is not feasible, apply the following compensating controls:
- Restrict network access to Backup Exec Agents using host-based firewalls or network segmentation, allowing only authorized Backup Exec servers to communicate with Agent ports.
- Monitor authentication logs and network connections to Backup Exec Agents for anomalous source addresses or unexpected authentication patterns.
- Verify that Backup Exec Agents are not exposed to untrusted networks, including the internet.
Detection
Security teams can detect potential exploitation by:
- Reviewing network traffic to Backup Exec Agents for unexpected source IPs or unusual authentication request patterns.
- Auditing Agent logs for unauthorized command execution or authentication events that do not correlate with legitimate backup operations.
- Monitoring endpoint detection and response (EDR) alerts for privileged process execution originating from Backup Exec Agent processes outside normal maintenance windows.
Assessment
This vulnerability has an EPSS score of 0.6491, placing it in the 99.15th percentile, indicating a very high probability of active exploitation. It is also listed in CISA's Known Exploited Vulnerabilities catalog with an addition date of 2023-04-07, and it appears on the EU exploited vulnerabilities list with the same date. Organizations should prioritize patching because exploitation is confirmed in the wild and the attack complexity is low.
Lessons learned:
- Legacy authentication mechanisms must be explicitly disabled during product updates, not merely superseded by newer schemes.
- Vulnerabilities with high EPSS scores and confirmed in-the-wild exploitation should be treated as critical patching priorities regardless of their CVSS base score alone.
References
Frequently asked questions
- What is CVE-2021-27877?
- An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
- How severe is CVE-2021-27877?
- CVE-2021-27877 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2021-27877 being actively exploited?
- Yes. CVE-2021-27877 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-04-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-27877?
- CVE-2021-27877 affects Veritas Backup Exec. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-27877?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-27877 have an EU (EUVD) identifier?
- Yes. CVE-2021-27877 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-14615. It is also flagged as exploited in the EUVD (since 2023-04-07).
- When was CVE-2021-27877 published?
- CVE-2021-27877 was published on 2021-03-01 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html
- https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27877
Affected products (1)
- cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*
More vulnerabilities in Veritas Backup Exec
- CVE-2017-8895 — Critical (CVSS 9.8): In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a…
- CVE-2020-36167 — Critical (CVSS 9.3): An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before…
- CVE-2021-27878 — High (CVSS 8.8): An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires…
- CVE-2021-27876 — High (CVSS 8.1): An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires…
- CVE-2024-33673 — High (CVSS 7.8): An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. Improper access controls allow for DLL…
- CVE-2024-33671 — High (CVSS 7.7): An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. The Backup Exec Deduplication Multi-threaded…