PatchSiren cyber security CVE debrief

CVE-2017-6407 Veritas CVE debrief

CVE-2017-6407 is a high-severity Veritas NetBackup issue disclosed on 2017-03-02. The CVE record states that affected versions include NetBackup before 7.7.2 and NetBackup Appliance before 2.7.2, and that privileged remote command execution can occur on the NetBackup Server and Client. NVD assigns the issue a CVSS v3.0 score of 8.8 (HIGH), reflecting severe confidentiality, integrity, and availability impact. Administrators should treat this as an urgent patching item for exposed or operational backup infrastructure.

Vendor: Veritas
Product: CVE-2017-6407
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Veritas NetBackup administrators, backup platform owners, and security teams responsible for servers or connected clients running NetBackup before 7.7.2 or NetBackup Appliance before 2.7.2.

Technical summary

The official CVE description identifies a privileged remote command execution condition affecting Veritas NetBackup Server and Client. The NVD entry maps vulnerable CPE ranges to NetBackup versions through 7.7.1 and NetBackup Appliance versions through 2.7.1. NVD also lists CVSS v3.0 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating low-complexity exploitation with low privileges and high impact if successful. The supplied corpus does not provide exploit details, so remediation should focus on version verification and vendor-guided patching.

Defensive priority

High. This affects backup infrastructure and can lead to high-impact compromise of confidentiality, integrity, and availability. Prioritize remediation on any internet-reachable, admin-reachable, or operationally critical NetBackup systems still running the affected versions.

Recommended defensive actions

Verify whether any NetBackup servers or clients are running versions before 7.7.2, and whether any NetBackup Appliance instances are running before 2.7.2.
Apply the Veritas guidance referenced in the vendor advisory for CVE-2017-6407 and upgrade to a fixed release.
Inventory connected clients as well as central servers, since the CVE description covers server and client contexts.
If patching is delayed, restrict administrative access to NetBackup systems and monitor for unexpected command execution or privilege-related anomalies.
Use the official CVE and NVD records to confirm scope before scheduling remediation work.

Evidence notes

The CVE description says the issue is in Veritas NetBackup before 7.7.2 and NetBackup Appliance before 2.7.2, and that privileged remote command execution can occur on the NetBackup Server and Client. The NVD metadata provides the vulnerable CPE ranges through 7.7.1 and 2.7.1 and assigns CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. A Veritas vendor advisory is referenced in the supplied source set.

Official resources

CVE-2017-6407 CVE record
CVE.org
CVE-2017-6407 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed on 2017-03-02, per the CVE published date in the supplied timeline.