Arbitrary File Access via Flawed SHA Authentication in Veritas Backup Exec Agent
CVE-2021-27876 is a vulnerability in Veritas Backup Exec (versions 16.x, 20.x, and 21.1) where a flaw in the SHA authentication scheme allows an attacker to gain unauthorized access to the Backup Exec Agent. Once authenticated, the attacker can execute data management protocol commands, including those that allow access to arbitrary files on the system with SYSTEM privileges. The vulnerability is present in all agents on all platforms running the affected versions.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository is a small standalone Python proof-of-concept/operational exploit consisting of one main script (be_rce.py), a README, and a license. The script targets Veritas Backup Exec Agent over the network on TCP/10000 using NDMP and implements a full exploit chain for CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878. The exploit is not merely a detector: it performs active exploitation. Its core capabilities are: connecting to the NDMP service, performing the custom TLS-related handshake by generating a local CA and signing the agent CSR, abusing the SHA authentication weakness to authenticate as Administrator without a password, invoking NDMP_EXECUTE_COMMAND to run arbitrary OS commands as NT AUTHORITY\SYSTEM, reading command output back from a temporary file via NDMP file operations, and deleting the temporary file afterward. Code structure in be_rce.py includes: XDR serialization/deserialization helpers for NDMP message formatting; an NDMPSock class for framed NDMP send/receive and TLS socket wrapping; certificate helper routines to generate a CA and sign the server CSR; and an exploit entry point that chains connection, handshake, auth bypass, command execution, file open/read/close, and cleanup. The script accepts target and command from the command line, with a hardcoded default target IP if omitted. Notable observables include the NDMP service port 10000, the Windows temp output file C:\Windows\Temp\_be_out.txt, and use of C:\Windows\System32\cmd.exe for execution. The README documents affected versions, usage examples, and remediation guidance. Overall, this is a real standalone network RCE exploit with a basic but functional hardcoded payload flow, making it best classified as OPERATIONAL rather than a framework-integrated or detection-only artifact.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.