Veeam Software, a leading backup, recovery, and data management solutions provider, has announced the discovery and remedy of several critical and high-severity vulnerabilities across multiple products.
These vulnerabilities were identified during internal testing and through external reports, highlighting potential risks for users of Veeam Backup & Replication, Veeam ONE, Veeam Agent for Linux, Veeam Service Provider Console, and other Veeam products.
Key Vulnerabilities and Their Impacts
CVE-2024-40711 is a critical vulnerability that allows unauthenticated remote code execution (RCE) and was reported by Florian Hauser of CODE WHITE GmbH, with a CVSS score of 9.8.
CVE-2024-40713 and CVE-2024-40710 are high-severity vulnerabilities, enabling low-privileged users to alter Multi-Factor Authentication (MFA) settings and execute remote code, respectively.
Additionally, CVE-2024-39718 allows low-privileged users to remove files remotely, carrying a CVSS score of 8.1. Other vulnerabilities include issues with TLS certificate validation and local privilege escalation.
- Veeam Agent for Linux– CVE-2024-40709: A high-severity vulnerability allowing local privilege escalation to root level, reported via HackerOne.
- Veeam ONE – CVE-2024-42024 and CVE-2024-42019: Critical vulnerabilities allowing remote code execution and access to NTLM hashes, with CVSS scores of 9.1 and 9.0, respectively. Additional vulnerabilities include code execution with Administrator privileges and HTML injection.
- Veeam Service Provider Console – CVE-2024-38650 and CVE-2024-39714: Critical vulnerabilities allowing access to NTLM hashes and remote code execution through arbitrary file uploads, both with a CVSS score of 9.9.
- Veeam Backup for Nutanix AHV and Other Plug-Ins – CVE-2024-40718: A high-severity SSRF vulnerability allowing local privilege escalation.
Solutions and Updates
Veeam has addressed these vulnerabilities in the latest software updates, urging all users to upgrade to the following versions:
- Veeam Backup & Replication: Version 12.2 (build 12.2.0.334)
- Veeam Agent for Linux: Version 6.2 (build 6.2.0.101)
- Veeam ONE: Version 12.2 (build 12.2.0.4093)
- Veeam Service Provider Console: Version 8.1 (build 8.1.0.21377)
- Veeam Backup for Nutanix AHV and Other Plug-Ins: Latest versions included with Veeam Backup & Replication 12.2
Users are strongly advised to update to the latest versions to mitigate potential security risks. Veeam continues to prioritize security and encourages customers to remain vigilant and proactive in applying updates.
Download Free Incident Response Plan Template for Your Security Team – Free Download