Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution

Veritas Enterprise Vault server

Veritas has released a security advisory regarding a critical remote code execution (RCE) vulnerability affecting multiple versions of its Enterprise Vault (EV) software. Rated as a CVSS v3.1 score of 9.8, this issue exposes Enterprise Vault servers to potential exploitation through deserialization of untrusted data on .NET Remoting TCP ports.

The advisory describes the vulnerability as inherent to the .NET Remoting service used by Enterprise Vault. On startup, the application opens several services listening on random TCP ports for client commands. These ports, along with local IPC services, are vulnerable to specially crafted payloads. As stated in the advisory: “This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.”

For an attack to succeed, specific preconditions must be met:

  1. The attacker must have RDP access to a virtual machine in the network.
  2. The attacker must know critical details about the EV server, including its IP address, process IDs, and TCP dynamic ports.
  3. The firewall on the EV server must be improperly configured​

All currently supported versions of Enterprise Vault are affected. Veritas plans to release a patch for the vulnerability in Enterprise Vault 15.2, expected in the third quarter of 2025.

In the meantime, Veritas recommends that users take the following steps to mitigate the risk:

  • Ensure that only Enterprise Vault administrators have access to the Enterprise Vault server.
  • Ensure that only trusted users are part of the Remote Desktop Users group and have RDP access to the Enterprise Vault server.
  • Ensure that the Enterprise Vault server firewall is enabled and properly configured.
  • Ensure that the latest Windows updates have been installed on the Enterprise Vault server

Veritas acknowledged that the vulnerabilities were responsibly disclosed by Sina Kheirkhah, in collaboration with Trend Micro’s Zero Day Initiative.

Related Posts: