Security experts recommend all Veeam Backup & Replication software customers to upgrade their software immediately to address a critical, remotely exploitable vulnerability. Veeam first revealed the flaw, dubbed CVE-2024-40711, on Thursday, when it issued fixes to address 18 vulnerabilities across its product range, including five major issues, which are so named because they may be remotely abused to execute arbitrary code.
The upgrade for the widely used Veeam Backup & Replication software patches security flaws detected in version 12.1.2.172 and all previous version 12 versions. The software is employed for backup and recovery in cloud, virtual, and physical IT settings and is directly compatible with operating systems and environments such as AWS, Azure, Google Cloud, Oracle, SAP Hana, and Broadcom's VMware.
Veeam Backup & Replication versions that are no longer supported, such as version 11, for which support ended in February, come with a warning from the company stating that they "are not tested, but are likely affected and should be considered vulnerable."
Threat actors can exploit CVE-2024-40711 to remotely execute code on a Veeam Backup & Replication server without having to first authenticate to the server. The vendor rated the vulnerability 9.8 on the 10-point CVSS scale and credited its discovery to researcher Florian Hauser at cybersecurity service provider Code White.
The company stated that the vulnerability could be leveraged to enable "full systems takeover" and that it would not immediately release any technical details regarding the flaw "because this might instantly be abused by ransomware gangs."
Four additional vulnerabilities in Veeam Backup & Replication that were addressed in the Thursday update are classed as high-severity because exploiting them needs an attacker to first achieve a low-privileged role with the software or to have network access.
Prior to the Veeam Backup & Replication March 2023 patch, Veeam addressed known vulnerabilities in the form of CVE-2023-27532, which has been the target of ransomware and cybercrime groups. Researchers warned that attackers might use that vulnerability to obtain encrypted credentials, which would give them illegal access to the program and possibly allow them to go to other areas of the network.
In July, cybersecurity company Group-IB revealed that, only a few weeks after its public release, groups like EstateRansomware appear to have begun concentrating on CVE-2023-27532. The United States Cybersecurity and Infrastructure Security Agency added CVE-2023-27532 to its Known Exploited Vulnerabilities catalogue in August of last year.