An active exploitation campaign targeting internal disaster recovery systems has prompted federal regulators to mandate immediate remediation of a key data management utility. The security defect allows unauthenticated remote actors to bypass internal access validation protocols and execute unauthorized management payloads.
The vulnerability, tracked as CVE-2026-28944, impacts Veeam Backup and Replication software environments. By generating specialized requests targeting the internal backup orchestration ports, an attacker can fully bypass standard administrative authorization layers. CISA validated active weaponization of this mechanism by ransomware networks seeking to disable backup repositories prior to launching encryption attacks.
Targeting data backup infrastructure is a refined strategy used by modern threat networks to enforce extortion demands. By gaining high-privilege access to the disaster recovery plane, an adversary can wipe system historical archives, modify backup schedules, and exfiltrate entire virtual machine snapshots without triggering standard database alarms.
– Apply the emergency service updates issued by Veeam Software across all deployment architectures immediately.
– Isolate backup management engines behind highly restricted internal zones and deactivate external visibility for port 9392.
– Conduct a historical review of backup system access files to check for anomalous API tokens or unexpected command strings.
– Implement immutable backup configurations to guarantee data recovery paths remain independent of system administrative states.
Disaster recovery platforms require strict access perimeters to ensure that initial infrastructure compromises cannot eliminate data restoration capabilities. #CodeDefence #Veeam #CISA #KEV #Ransomware
/
