Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software

September 5, 2024

Veeam has published security patches for numerous products, addressing 18 high and critical severity vulnerabilities. Among these vulnerabilities, the most serious is CVE-2024-40711, a critical remote code execution (RCE) flaw in Veeam Backup & Replication (VBR). This flaw can be exploited without the need for authentication.

VBR is a crucial tool for managing and securing backup infrastructure for businesses, thereby playing an essential role in data protection. Due to its potential use as a pivot point for lateral movement, it is deemed a high-value target for ransomware operators. These malicious actors aim to steal backups for double-extortion and delete or encrypt backup sets, leaving victims without any recovery options.

In previous instances, threat actors such as the Cuba ransomware gang and FIN7, known to partner with Conti, REvil, Maze, Egregor, and BlackBasta, were seen exploiting VBR vulnerabilities. The vulnerability, CVE-2024-40711, was reported through HackerOne and affects Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch.

While detailed information has not been fully disclosed, critical RCE vulnerabilities typically allow for a full system takeover. Therefore, users are strongly advised not to delay installing the patches in VBR version 12.2.0.334. Other vulnerabilities noted in the bulletin are related to Backup & Replication versions 12.1.2.172 and older.

The bulletin also lists four more critical-severity vulnerabilities affecting its Service Provider Console versions 8.1.0.21377 and earlier and ONE products versions 12.1.0.3208 and older. Starting with CVE-2024-42024, an attacker with ONE Agent service account credentials can perform remote code execution on the host machine. Veeam ONE is also affected by CVE-2024-42019, which allows an attacker to access the NTLM hash of the Reporter Service account. To exploit this flaw, previous data collection through VBR is required.

In the Veeam Service Provider Console, there's CVE-2024-38650 which allows a low-privileged attacker to access the NTLM hash of the service account on the VSPC server. Another critical issue is CVE-2024-39714, which enables a low-privileged user to upload arbitrary files onto the server, leading to remote code execution. All these issues were resolved in Veeam ONE version 12.2.0.4093 and Veeam Service Provider Console version 8.1.0.21377, and users are encouraged to upgrade as soon as possible.

Latest News

• Cisco Addresses Command Injection Vulnerability with Public Exploit Code
• Cisco Addresses Backdoor Admin Account in Smart Licensing Utility
• Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript
• Google Addresses Actively Exploited Android Flaw: Releases Monthly Security Update
• Critical OS Command Injection Flaw in Zyxel Routers Addressed