Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required

May 21, 2024

Veeam has alerted its customers to patch a critical security flaw that enables unauthorized attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based tool that allows administrators to manage Veeam Backup & Replication installations through a single web console. It is designed to manage backup jobs and carry out restoration operations across an organization's backup infrastructure and large-scale deployments. Notably, VBEM is not enabled by default and not all environments are vulnerable to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has assigned a CVSS base score of 9.8/10.

The company states, "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user." Those administrators who are unable to promptly upgrade to VBEM version 12.1.2.172, which rectifies this security issue, can mitigate it by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services. If Veeam Backup Enterprise Manager is not currently in use, it can also be uninstalled to eliminate the attack vector.

Alongside this, Veeam has also patched two high-severity VBEM vulnerabilities. One allows account takeover via NTLM relay (CVE-2024-29850), and the other allows high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash if it's not configured to run as the default Local System account (CVE-2024-29851).

In March 2023, Veeam patched a high-severity vulnerability (CVE-2023-27532) in the Backup & Replication software that could be exploited to breach backup infrastructure hosts. This vulnerability was later exploited in attacks attributed to the financially motivated FIN7 threat group, associated with various ransomware operations such as Conti, REvil, Maze, Egregor, and BlackBasta. In the following months, affiliates of the Cuba ransomware used the same vulnerability in attacks targeting U.S. critical infrastructure and IT companies in Latin America.

In November, Veeam released fixes to address two other critical flaws (with 9.8 and 9.9/10 CVSS base scores) in its ONE IT infrastructure monitoring and analytics platform. These vulnerabilities allowed threat actors to execute remote code (CVE-2023-38547) and steal NTLM hashes (CVE-2023-38548) from vulnerable servers. Veeam's products are utilized by more than 450,000 customers globally, including 74% of all Global 2,000 companies.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.