A series of vulnerabilities identified in products from Veeam, a provider of backup and recovery software, have raised significant concerns within the cybersecurity community. These vulnerabilities were disclosed and subsequently patched on September 4, 2024.
The most critical issue involves a severe flaw, designated CVE-2024-40711, which is a remote code execution (RCE) vulnerability in Veeam Backup & Replication. Detected by researcher Florian Hauser from Code White, this vulnerability has been assigned a critical CVSS score of 9.8. In a statement on the social media platform X, Code White noted that they are withholding full technical details at this time to mitigate the risk of exploitation.
The primary cause for concern stems from the potential threat posed by CVE-2024-40711. Data from threat hunters at Censys reveals that nearly 3,000 Veeam Backup & Replication servers are publicly accessible on the internet, with a significant concentration in France and Germany. The Censys team stated, “This vulnerability poses a serious risk as it may be targeted by ransomware operators looking to compromise backup systems and facilitate double-extortion scenarios.” They further noted that earlier vulnerabilities, such as CVE-2023-27532 disclosed in July, have previously been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for actions that include initial access and credential theft.
Rapid7, which has been monitoring its network telemetry for signs of exploitation, reported on September 9 that there were no known malicious activities related to CVE-2024-40711 at that time. However, they echoed cautious sentiments shared by other cybersecurity experts, emphasizing that Veeam Backup & Replication has a wide deployment and that several prior vulnerabilities have been exploited in the wild, particularly by ransomware groups.
According to Rapid7’s findings, over 20% of incident response cases they have handled this year involved some form of access to or exploitation of Veeam products, typically occurring after attackers had already infiltrated the victim’s environment. Additionally, five other CVEs were disclosed within Backup & Replication, some of which allow attackers with low-privilege accounts to disable multi-factor authentication, retrieve credentials and other data, and achieve RCE. All these vulnerabilities have been patched in Backup & Replication version 12.2 (build 12.2.0.334), and users are advised to implement these updates promptly.
Veeam has also released fixes for vulnerabilities in other products, including Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and Veeam Backup plugins for Nutanix AHV, Oracle Linux Virtualization, and Red Hat Virtualization.