1 PoC Exploit for Critical RCE Flaw, but 2 Patches From Veeam

A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam's backup and replication software.

As an unauthenticated remote code execution (RCE) flaw, the vulnerability has a CVSS score of 9.8 and threatens environments that are running versions 12.1.2.172 and below.

Initially reported for its high potential for exploitation, the vulnerability possesses an aging communication mechanism that makes it vulnerable to deserialization attacks. And it has an exploitation path that enables threat actors to create malicious payloads that bypass the protective measures Veeam has put in place.

While assessing the vulnerability, the security teams discovered 1,900 file modifications, 700 of which were deemed non-security related, indicating that Veeam's patching process went beyond just CVE-2024-40711 and likely involved addressing a variety of other security flaws as well.

Veeam released two recommendations to address different components of the vulnerability. The first patch, version 12.1.2.172, made it so that low-level credentials were still required in order for threat actors to exploit the vulnerability. The second patch, version 12.2.0.334, fully resolves the flaw. It's possible that the vulnerability was more severe than Veeam initially let on, and that the first patch did not fully mitigate the RCE threat, leaving systems exposed and prompting a second attempt to patch.

Dark Reading has contacted Veeam for more information about its approach.

In the meantime, it's recommended that enterprises apply the latest patch as soon as possible, since a PoC exploit for the vulnerability has been made publicly available on GitHub, giving attackers tools to launch their next attacks.