PatchSiren cyber security CVE debrief

CVE-2017-6406 Veritas CVE debrief

CVE-2017-6406 describes a privileged command execution flaw in Veritas NetBackup and NetBackup Appliance that can be triggered through whitelist directory escape using "../" substrings. The CVE was published on 2017-03-02 and is rated HIGH (CVSS 8.8). The official CVSS vector indicates local access, low privileges, no user interaction, and a changed scope impact with high confidentiality, integrity, and availability consequences.

Vendor: Veritas
Product: CVE-2017-6406
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for Veritas NetBackup and NetBackup Appliance deployments should prioritize this. Because the CVSS vector indicates local access with low privileges, environments that allow interactive logins, service accounts, or administrative scripting on backup systems should pay special attention.

Technical summary

The NVD description says an arbitrary privileged command execution issue can occur when whitelist directory checks are bypassed with "../" substrings. The affected versions listed in the source are Veritas NetBackup before 7.7.2 and Veritas NetBackup Appliance before 2.7.2. NVD also lists Veritas Access up to 7.2.1 as vulnerable in its CPE criteria. The official CVSS 3.0 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which supports a local, low-privilege attack path with severe impact if exploited.

Defensive priority

High. This is a pre-authentication-independent local attack that can lead to privileged command execution on a backup platform, which often has broad access to protected data and infrastructure.

Recommended defensive actions

Upgrade Veritas NetBackup to 7.7.2 or later.
Upgrade Veritas NetBackup Appliance to 2.7.2 or later.
Review any Veritas Access deployments against the NVD CPE scope listed for this CVE and apply vendor guidance if applicable.
Restrict local and administrative access on backup systems to the minimum required accounts.
Audit backup appliance and server logs for unexpected command execution or path traversal patterns involving "../".
Use the Veritas advisory linked in the source to confirm product-specific remediation steps and any deployment prerequisites.

Evidence notes

Source evidence comes from the official NVD CVE record and the linked Veritas advisory reference. The description explicitly states arbitrary privileged command execution via whitelist directory escape using "../" substrings. NVD lists affected version end bounds of NetBackup 7.7.1 and NetBackup Appliance 2.7.1, which align with the description's "before 7.7.2" and "before 2.7.2" remediation thresholds. NVD's CPE criteria also include Veritas Access through 7.2.1, which is broader than the short description and should be treated as a source-detail note rather than a standalone claim.

Official resources

CVE-2017-6406 CVE record
CVE.org
CVE-2017-6406 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Published by the CVE/NVD ecosystem on 2017-03-02; NVD metadata was last modified on 2026-05-13. This debrief uses the published CVE details and official vendor/NVD references only.