CVE-2017-6405 Veritas CVE debrief

Who should care

Administrators, security teams, and platform owners running Veritas NetBackup 8.0 or earlier, or NetBackup Appliance 3.0 or earlier, especially in environments that rely on hostname-based trust, authorization, or management workflows.

Technical summary

NVD maps CVE-2017-6405 to CWE-290 (Authentication Bypass by Spoofing) and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The affected product scope in the record covers Veritas NetBackup up to 8.0 and NetBackup Appliance up to 3.0. The core issue is that hostname-based security can be fooled if DNS responses are spoofed, creating a path to integrity compromise without requiring local access or user interaction.

Defensive priority

High

Recommended defensive actions

• Inventory all Veritas NetBackup and NetBackup Appliance instances and confirm whether any are at or below the affected versions.
• Follow the remediation guidance in the Veritas security advisory referenced by NVD (VTS17-003, Issue 7).
• Review any controls that treat hostname resolution as a security boundary or authentication signal.
• Strengthen DNS integrity monitoring and alert on unexpected changes affecting NetBackup-related hostnames.
• Prefer stronger identity validation than hostname-only trust where the product or deployment supports it.

Evidence notes

The supplied NVD record states that the issue affects Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and earlier, with CWE-290 and CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The CVE publication date is 2017-03-02. The 2026-05-13 modified date is record metadata and should not be interpreted as the original disclosure date.

Official resources