Headline
1 PoC Exploit for Critical RCE Flaw, but 2 Patches From Veeam
The first patch lets threat actors with low-level credentials still exploit the vulnerability, while the second fully resolves the flaw.
Source: Postmodern Studio via Alamy Stock Photo
A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam’s backup and replication software.
As an unauthenticated remote code execution (RCE) flaw, the vulnerability has a CVSS score of 9.8 and threatens environments that are running versions 12.1.2.172 and below.
Initially reported for its high potential for exploitation, the vulnerability possesses an aging communication mechanism that makes it vulnerable to deserialization attacks. And it has an exploitation path that enables threat actors to create malicious payloads that bypass the protective measures Veeam has put in place.
While assessing the vulnerability, the security teams discovered 1,900 file modifications, 700 of which were deemed non-security related, indicating that Veeam’s patching process went beyond just CVE-2024-40711 and likely involved addressing a variety of other security flaws as well.
Veeam released two recommendations to address different components of the vulnerability. The first patch, version 12.1.2.172, made it so that low-level credentials were still required in order for threat actors to exploit the vulnerability. The second patch, version 12.2.0.334, fully resolves the flaw. It’s possible that the vulnerability was more severe than Veeam initially let on, and that the first patch did not fully mitigate the RCE threat, leaving systems exposed and prompting a second attempt to patch.
Dark Reading has contacted Veeam for more information about its approach.
In the meantime, it’s recommended that enterprises apply the latest patch as soon as possible, since a PoC exploit for the vulnerability has been made publicly available on GitHub, giving attackers tools to launch their next attacks.
About the Author
Related news
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]
Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.
Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware. Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware. CVE-2024-40711, rated 9.8 out of 10.0 on the
Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers’ goal was to install Akira […]
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below - CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. CVE-2024-42024 (CVSS score: 9.1