PatchSiren cyber security CVE debrief
CVE-2017-6403 Veritas CVE debrief
CVE-2017-6403 describes a critical hardcoded-credentials flaw in Veritas NetBackup Cloud Storage Service. NVD lists affected NetBackup versions before 8.0 and NetBackup Appliance versions before 3.0. Because the service uses a hardcoded username and password, an attacker who can reach the service may be able to authenticate without legitimate credentials and compromise backup-related systems and data.
- Vendor
- Veritas
- Product
- CVE-2017-6403
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-02
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-02
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams responsible for Veritas NetBackup and NetBackup Appliance deployments, especially environments running versions earlier than NetBackup 8.0 or NetBackup Appliance 3.0. Backup infrastructure owners should treat this as high priority because it affects systems that protect critical data.
Technical summary
NVD classifies the weakness as CWE-798 (Use of Hard-coded Credentials) and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no privileges or user interaction required and potentially severe confidentiality, integrity, and availability impact. The vulnerability description states that NetBackup Cloud Storage Service uses a hardcoded username and password.
Defensive priority
Critical. Prioritize remediation immediately for any exposed or in-scope NetBackup or NetBackup Appliance instance at affected versions.
Recommended defensive actions
- Inventory all Veritas NetBackup and NetBackup Appliance installations and confirm whether any are earlier than NetBackup 8.0 or NetBackup Appliance 3.0.
- Upgrade or migrate to vendor-fixed releases beyond the affected version ranges.
- Follow the Veritas security advisory referenced in the NVD record (VTS17-003, Issue 10) for product-specific remediation guidance.
- Review whether the Cloud Storage Service is reachable from untrusted networks and restrict exposure where possible until upgrades are complete.
- Rotate any credentials, secrets, or access tokens associated with backup and cloud storage integrations after remediation.
- Check backup system logs and access records for unexpected authentication or configuration changes around the affected service.
Evidence notes
This debrief is based only on the supplied NVD record metadata and the referenced Veritas advisory link. The corpus provides the vulnerability description, affected version ranges, CVSS vector and score, and the CWE mapping, but not the full vendor advisory text. Published date used here is the CVE/NVD publication timestamp supplied in the corpus: 2017-03-02T06:59:00.667Z. The record was later modified on 2026-05-13T00:24:29.033Z; that is not the original disclosure date.
Official resources
-
CVE-2017-6403 CVE record
CVE.org
-
CVE-2017-6403 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
The CVE was published in the supplied corpus on 2017-03-02. The NVD record was modified on 2026-05-13. The corpus also cites a Veritas vendor advisory and a SecurityFocus BID as supporting references.