A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
The vulnerability results from unsafe deserialization of untrusted data (CWE-502). An attacker sends a specially crafted payload over the network, which is deserialized by the application without prior authentication. The process of deserializing malicious data leads to the execution of arbitrary code in the context of the application.
An attacker without any credentials can remotely execute arbitrary code on the server, which in practice means complete takeover of the system, including the ability to steal data, install backdoors, and conduct further lateral movement in the network.
Patches available from the vendor must be applied immediately in accordance with the official Veeam support article (kb4649). Due to active exploitation of the vulnerability, the update should be performed without delay.
Veeam Backup & Replication — versions indicated in the vendor's references (see: veeam.com/kb4649)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVeeam Backup \& Replication
APPVeeam12.0.0.1420 – 12.2.0.334 (bez)
CISA KEV — detailsi
- Vendori
- Veeam
- Producti
- Backup & Replication
- Added to KEVi
- October 17, 2024
- Remediation deadline (US Federal)i
- November 7, 2024(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
Related vulnerabilities
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
RCE w Veeam Backup & Replication dla uwierzytelnionych użytkowników domenowych
RCE dla uwierzytelnionego użytkownika domenowego w Veeam Backup & Replication
RCE w Veeam Backup & Replication dla uwierzytelnionego użytkownika domenowego
RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)