Veeam Backup & Replication Vulnerabilities Exposed: High-Severity Flaws Put Data at Risk

by do son · December 4, 2024

Veeam Software, a prominent provider of backup, recovery, and data management solutions, has released a security update to address multiple vulnerabilities in its Veeam Backup & Replication software. These vulnerabilities could potentially allow an authenticated attacker to execute malicious code, gain unauthorized access to sensitive information, and compromise the integrity of connected systems.

The most severe of these vulnerabilities, CVE-2024-40717, carries a CVSS v3.1 score of 8.8, indicating a high severity level. This vulnerability could enable an attacker to execute arbitrary code with elevated privileges, potentially leading to a complete system compromise. Other vulnerabilities addressed in this update include:

CVE-2024-42451: Allows access to saved credentials in a human-readable format.
CVE-2024-42452: Permits remote file uploads to connected ESXi hosts with elevated privileges.
CVE-2024-42453: Enables control and modification of connected virtual infrastructure hosts.
CVE-2024-42455: Facilitates insecure deserialization, potentially leading to file deletion.
CVE-2024-42456: Grants access to privileged methods and control over critical services.
CVE-2024-42457: Exposes saved credentials through the remote management interface.
CVE-2024-45204: Exploits insufficient permissions in credential handling, potentially leading to the leakage of NTLM hashes.

A separate vulnerability, CVE-2024-45207, affects Veeam Agent for Microsoft Windows. Exploiting this flaw allows DLL injection when directories writable by untrusted users are added to the PATH environment variable. While the default Windows PATH does not include such directories, the risk remains significant in misconfigured environments.

Veeam has fixed these vulnerabilities in Veeam Backup & Replication 12.3 (build 12.3.0.310) and Veeam Agent for Microsoft Windows 6.3 (build 6.3.0.177) and urges all users to upgrade to this version immediately. As a temporary mitigation measure, Veeam recommends removing any untrusted or unnecessary users from the Users and Roles settings on the backup server.

Organizations relying on Veeam Backup & Replication are strongly encouraged to take immediate action to protect their critical data and infrastructure.