Veeam Patches Critical Security Flaw in Recovery Orchestrator (CVE-2024-29855)

Veeam, a prominent backup and disaster recovery solutions provider, has recently addressed a critical vulnerability (CVE-2024-29855) within its Recovery Orchestrator (VRO) software. This vulnerability, scoring a hefty 9.0 on the CVSS scale, could grant unauthorized attackers administrative access to the VRO web user interface (UI), potentially wreaking havoc on organizations’ disaster recovery plans.

The vulnerability CVE-2024-29855 was discovered in VRO version 7.0.0.337. This flaw allows an attacker to gain access to the VRO web UI with administrative privileges. However, the exploitation of this vulnerability requires the attacker to possess specific knowledge—the exact username and role of an account with an active VRO UI access token. Despite this precondition, the potential impact of unauthorized administrative access makes this vulnerability particularly concerning.

Importantly, this vulnerability does not affect other Veeam products such as Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE, or the Veeam Service Provider Console. The isolated nature of this flaw underscores the importance of regular updates and vigilance in managing DR software.

Veeam has acted swiftly to address this security issue. The vulnerability has been resolved in the following versions of VRO:

• Veeam Recovery Orchestrator 7.1.0.230
• Veeam Recovery Orchestrator 7.0.0.379

Users of Veeam Recovery Orchestrator are strongly encouraged to update to these versions immediately to mitigate any potential risks associated with CVE-2024-29855.

This advisory follows on the heels of another critical patch issued last month. The previous vulnerability, CVE-2024-29849, with a CVSS score of 9.8, affected Veeam Backup Enterprise Manager (VBEM). It allowed unauthenticated attackers to sign into any account via VBEM, posing an even more substantial threat due to the lack of authentication requirements.