{"api_version":"1","generated_at":"2026-04-23T01:33:36+00:00","cve":"CVE-2021-27877","urls":{"html":"https://cve.report/CVE-2021-27877","api":"https://cve.report/api/cve/CVE-2021-27877.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-27877","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-27877"},"summary":{"title":"CVE-2021-27877","description":"An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-01 22:15:00","updated_at":"2022-09-27 20:15:00"},"problem_types":["CWE-287"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"Veritas Backup Exec Agent Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1","name":"https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security Advisory for Backup Exec version 21.2 | Veritas™","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-27877","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27877","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"27877","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27877","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2021","cve_id":"27877","cve":"CVE-2021-27877","vendorProject":"Veritas","product":"Backup Exec Agent","vulnerabilityName":"Veritas Backup Exec Agent Improper Authentication Vulnerability","dateAdded":"2023-04-07","shortDescription":"Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2023-04-28","knownRansomwareCampaignUse":"Known","notes":"https://www.veritas.com/support/en_US/security/VTS21-001; https://nvd.nist.gov/vuln/detail/CVE-2021-27877","cwes":"CWE-287","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:10"},"epss":{"cve_year":"2021","cve_id":"27877","cve":"CVE-2021-27877","epss":"0.407280000","percentile":"0.973840000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[{"cve":"CVE-2021-27877","qid":"378370","title":"Veritas Backup Exec Multiple Security Vulnerabilities (VTS21-001)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-27877","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1","refsource":"MISC","name":"https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:N/S:U/UI:N","version":"3.1"}}},"nvd":{"publishedDate":"2021-03-01 22:15:00","lastModifiedDate":"2022-09-27 20:15:00","problem_types":["CWE-287"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*","versionEndExcluding":"21.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"27877","Ordinal":"202991","Title":"CVE-2021-27877","CVE":"CVE-2021-27877","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"27877","Ordinal":"1","NoteData":"An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"27877","Ordinal":"2","NoteData":"2021-03-01","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"27877","Ordinal":"3","NoteData":"2021-03-01","Type":"Other","Title":"Modified"}]}}}