Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

Unauthenticated RCE in Veeam Backup & Replication [CVE-2024-40711]

Date of Disclosure: September 4, 2024

CVE-ID and CVSS Score: CVE-2024-40711: CVSS 9.8 (Critical)

Description: CVE-2024-40711 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in Veeam Backup & Replication software. Threat actors could execute arbitrary code on a vulnerable system without authentication, which poses a significant risk to organizations relying on Veeam for backup and data protection.

Affected Assets: Veeam Backup & Replication is software that provides tools to create backups of data and systems, ensure they can be restored, and replicate them to other locations for protection against data loss and system failures. This vulnerability affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions.

Global map of Censys-visible Veeam Backup & Replication interfaces (created with Kepler.gl)

Vulnerability Impact: CVE-2024-40711 could allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors. This vulnerability is particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios. Earlier vulnerabilities in Veeam Backup & Replication, such as CVE-2023-27532 disclosed back in July, have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for initial access, credential theft, and other malicious activities.

Exploitation Details: Although it is currently unknown if CVE-2024-40711 is actively being exploited, its potential for extracting large volumes of data and enabling lateral movement within networks suggests it could become a target for ransomware attacks.

Patch Availability: Veeam has released security patches addressing CVE-2024-40711, along with 5 other lower severity vulnerabilities in Veeam Backup & Replication version 12.2.0.334. Users are strongly advised to upgrade their systems.

Censys Perspective: As of now, Veeam Backup & Replication is widely used in enterprise environments, making the potential impact of this vulnerability significant. Organizations should ensure that their systems are updated to the latest version to protect against exploitation.

At the time of writing, Censys observes 2,833 Veeam Backup & Replication total servers exposed on the Internet, concentrated in Germany and France. Note that not all of these are necessarily vulnerable to this CVE.

To identify all exposed Veeam Backup & Replication servers on your network, the following Censys queries can be used:

  • Censys Search Query: services.software: (vendor: “Veeam” and product: “Backup Server”) and not labels: {tarpit, honeypot, truncated}
  • Censys ASM Query: host.services.software: (vendor: “Veeam” and product: “Backup Server”) or web_entity.instances.software: (vendor: “Veeam” and product: “Backup Server”)

References:

  1. https://www.veeam.com/kb4649
  2. https://code-white.com/public-vulnerability-list/#unauthenticated-remote-code-execution-in-backup-replication
  3. https://thehackernews.com/2024/09/veeam-releases-security-updates-to-fix.html

 

Attack Surface Management Solutions
Learn more