Critical Veeam Backup & Replication Vulnerability Under Active Exploitation

Successful exploitation of CVE-2024-40711 could lead to remote code execution

Threat ID:: CC-4563
Threat Severity:: High
Published:: 11 October 2024 11:21 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Successful exploitation of CVE-2024-40711 could lead to remote code execution

Affected platforms

The following platforms are known to be affected:

Versions: 12.1.2.172 and earlier

Veeam Backup & Replication

Threat details

Unsupported versions should be considered vulnerable

Veeam states that unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Active exploitation of CVE-2024-40711

Security researchers have reported CVE-2024-40711 is under active exploitation by ransomware groups. These groups are reportedly exploiting CVE-2024-40711 as a second stage exploit to create new local Administrator accounts to facilitate further objectives on compromised networks. Reports warn of exploitation attempts since shortly after official disclosure by Veeam.

Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in the wild by ransomware groups shortly after official disclosure, and the NHS England National CSOC assess exploitation of CVE-2024-40711 as highly likely to continue.

Introduction

In September 2024, Veeam issued a security bulletin addressing one critical and five high severity vulnerabilities in their Backup & Replication product, including CVE-2024-40711. These vulnerabilities were initially covered in the cyber alert CC-4542.

The NHS England National CSOC is now aware of reports that CVE-2024-40711 is under active exploitation by ransomware groups and is issuing this high severity Cyber Alert in response.

CVE-2024-40711 is a critical 'deserialisation of untrusted data' vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated attacker could achieve remote code execution (RCE).

Remediation advice

Affected organisations must review the Veeam Security Bulletin (September 2024) KB4649 and update Veeam Backup & Replication to version 12.2 (or above) as a matter of urgency.

Definitive source of threat updates

https://www.veeam.com/kb4649

CVE Vulnerabilities

Status Published

CVE-2024-40711

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

Last edited: 11 October 2024 11:21 am