A critical vulnerability, CVE-2024-40711, affecting Veeam Backup & Replication (VBR), has emerged as a significant threat to enterprises, with ransomware gangs poised to exploit it for data theft.
This vulnerability, discovered and reported by Code White researcher Florian Hauser, could grant attackers complete control over a system, enabling them to manipulate data and potentially move laterally within a network. WatchTowr Labs has confirmed the vulnerability’s potential for exploitation, highlighting its high value for threat actors.
Veeam Backup & Replication, a popular enterprise solution for backing up, replicating, and restoring backups of virtual environments, physical machines, and cloud-based workloads, has been targeted by ransomware groups in the past. In 2023, the CVE-2023-27532 vulnerability in VBR was exploited to gain access to organizations’ backup infrastructure.
CVE-2024-40711 affects VBR version 12.1.2.172 and all earlier versions. Censys researchers have identified 2,833 internet-facing Veeam Backup & Replication servers exposed on the internet, primarily concentrated in Germany and France. However, the number of vulnerable servers remains unknown.
A Patch is Available
Veeam has addressed CVE-2024-40711 and five other less critical flaws affecting VBR. They have urged administrators to update to Veeam Backup & Replication 12.2 (build 12.2.0.334). While the company has not mentioned any workarounds, they have also released fixes for vulnerabilities in:
- Veeam Agent for Linux
- Veeam ONE (monitoring and analytics solution for IT workloads)
- Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
- Veeam Service Provider Console (a solution for managing data backup operations, used by MSPs and enterprises)
Delving Deeper into the Vulnerability
WatchTowr Labs researcher Sina Kheirkhan has provided further analysis, revealing that CVE-2024-40711 comprises two separate components:
- An improper authorization bug: This bug was fixed in VBR 12.1.2.172, released in late May.
- A deserialization bug: This bug was patched in VBR 12.2.0.334, released last week.
However, Kheirkhan has indicated that the later patch does not completely fix CVE-2074-40711. They have refrained from publishing exploit code due to concerns about its potential misuse by ransomware operators.
The Significance of the Threat
Rapid7, a cybersecurity firm, emphasizes the widespread deployment of Veeam Backup & Replication and the likelihood that one or more of the patched vulnerabilities could be used for extortion attacks. They highlight that over 20% of their incident response cases in 2024 have involved Veeam being accessed or exploited, typically after an adversary has gained a foothold in the target environment.
The Importance of Immediate Action
Given the potential for ransomware groups to exploit CVE-2024-40711, enterprises using Veeam Backup & Replication must prioritize updating to the latest version (12.2.0.334) as soon as possible.
This vulnerability poses a significant threat to data security and could lead to data loss, system compromise, and potential financial losses. By promptly applying the available patch, organizations can mitigate the risk of falling victim to ransomware attacks targeting their backup infrastructure.