Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required

May 21, 2024

Veeam has alerted its customers to patch a critical security flaw that enables unauthorized attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based tool that allows administrators to manage Veeam Backup & Replication installations through a single web console. It is designed to manage backup jobs and carry out restoration operations across an organization's backup infrastructure and large-scale deployments. Notably, VBEM is not enabled by default and not all environments are vulnerable to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has assigned a CVSS base score of 9.8/10.

The company states, "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user." Those administrators who are unable to promptly upgrade to VBEM version 12.1.2.172, which rectifies this security issue, can mitigate it by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services. If Veeam Backup Enterprise Manager is not currently in use, it can also be uninstalled to eliminate the attack vector.

Alongside this, Veeam has also patched two high-severity VBEM vulnerabilities. One allows account takeover via NTLM relay (CVE-2024-29850), and the other allows high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash if it's not configured to run as the default Local System account (CVE-2024-29851).

In March 2023, Veeam patched a high-severity vulnerability (CVE-2023-27532) in the Backup & Replication software that could be exploited to breach backup infrastructure hosts. This vulnerability was later exploited in attacks attributed to the financially motivated FIN7 threat group, associated with various ransomware operations such as Conti, REvil, Maze, Egregor, and BlackBasta. In the following months, affiliates of the Cuba ransomware used the same vulnerability in attacks targeting U.S. critical infrastructure and IT companies in Latin America.

In November, Veeam released fixes to address two other critical flaws (with 9.8 and 9.9/10 CVSS base scores) in its ONE IT infrastructure monitoring and analytics platform. These vulnerabilities allowed threat actors to execute remote code (CVE-2023-38547) and steal NTLM hashes (CVE-2023-38548) from vulnerable servers. Veeam's products are utilized by more than 450,000 customers globally, including 74% of all Global 2,000 companies.

Related News

• Delays in Updating Known Exploited Vulnerabilities (KEV) Catalog Pose Risks
• Veeam Addresses Multiple Vulnerabilities in Veeam ONE Platform
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools

Latest News

• Critical Security Vulnerability in GitHub Enterprise Server Allows Authentication Bypass
• Critical Vulnerability in Fluent Bit Affects Major Cloud Providers
• Public RCE Exploit Revealed for Unpatched QNAP QTS Zero-Day
• PoC Exploit Surfaces for Google Chrome Zero-Day Vulnerability CVE-2024-4947
• Microsoft Yet to Address Seven Zero-Days Vulnerabilities Uncovered in Pwn2Own 2024