Veeam has addressed a severe vulnerability in its widely utilized Backup & Replication tool, CVE-2024-40711. This critical flaw has a staggering Common Vulnerability Scoring System (CVSS) score of 9.8. Ransomware gangs have already begun exploiting this Veeam vulnerability, particularly deploying Akira and Fog ransomware in targeted attacks.
CVE-2024-40711 allows unauthenticated remote code execution, enabling attackers to send malicious payloads that could lead to full system control. This alarming discovery was made by Florian Hauser, a security researcher from CODE WHITE in Germany, who reported the vulnerability to Veeam.
Hauser emphasized the critical nature of the flaw, stating, “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos—no technical details from us this time because this might instantly be abused by ransomware gangs.”
Critical Veeam Vulnerability CVE-2024-40711
The exploitation of this vulnerability has already led to security breaches. In one instance, attackers leveraged the Fog ransomware to infiltrate an unprotected Hyper-V server and exfiltrate sensitive data using the rclone utility. While some exploitation attempts have failed—mostly due to the use of compromised VPN gateways lacking multifactor authentication (MFA)—the threat remains high.
In response to the critical Veeam vulnerability, the company released a security patch for Backup & Replication version 12.2 on September 4, 2024. Following this release, watchTowr Labs conducted a detailed analysis of the vulnerabilities on September 9, 2024. To provide system administrators sufficient time for remediation, they withheld the publication of proof-of-concept exploit code until September 15, 2024.
Given Veeam’s extensive use—over 550,000 customers worldwide, including 74% of the Global 2000 companies—this vulnerability poses a risk. Veeam’s products are particularly attractive targets for cybercriminals seeking quick access to backup data, which further emphasizes the need for immediate action and timely updates.
Additional Vulnerabilities Identified
CVE-2024-40711 is part of a broader set of vulnerabilities affecting Veeam products. According to an advisory from Cyble, various other vulnerabilities have been reported, including:
- CVE-2024-40713: High severity
- CVE-2024-40710: High severity
- CVE-2024-40714: High severity
- CVE-2024-39718: Medium severity
- Additional medium severity vulnerabilities including CVE-2024-42020 through CVE-2024-42024
These vulnerabilities primarily impact several Veeam products, including Veeam Backup & Replication, Veeam ONE for monitoring and analytics, and Veeam Agent for Linux. Other affected products include Veeam Service Provider Console and Veeam Backup for Nutanix AHV, highlighting the widespread implications of these security concerns.
Technical Insights into CVE-2024-40711
CVE-2024-40711 specifically enables unauthenticated attackers to execute remote code, posing a serious risk to users running Veeam Backup & Replication versions 12.1.2.172 and earlier. During an investigation, Cyble’s ODIN scanner identified around 2,466 instances of Veeam Backup exposed to the internet, predominantly in the United States. This high visibility makes these systems particularly vulnerable to exploitation.
Moreover, this incident is not isolated. Veeam previously patched another high-severity vulnerability, CVE-2023-27532, in March 2023, which was linked to the financially motivated FIN7 threat group, known for its connections to several ransomware operations.
Conclusion
To protect against the vulnerabilities identified in Veeam products, organizations must prioritize immediate patching by applying the latest security updates, establish regular update protocols to maintain ongoing security and conduct thorough security assessments to identify potential risks.
Additionally, they should consider isolating Veeam products from the internet where possible, enforce multifactor authentication for management access, and implement comprehensive monitoring tools to detect unusual activities.
