A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
An attacker with a domain account with access to the environment can send a properly crafted request to the Veeam Backup & Replication server. The vulnerability classified as CWE-94 (improper control of code generation) and CWE-693 (protection mechanism failure) indicates the possibility of code injection and execution on the server side bypassing security mechanisms. The attack is possible over the network without additional interaction from the victim.
An attacker can gain full control over the backup server, which includes confidentiality, integrity and availability of stored data — including access to backups of the entire infrastructure and potential lateral movement in the environment.
Patches available from the manufacturer should be applied in accordance with references published at https://www.veeam.com/kb4831
Veeam Backup & Replication — versions indicated in the manufacturer's references (https://www.veeam.com/kb4831)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HVeeam Backup \& Replication
APPVeeam13.0.0.496 – 13.0.1.2067 (bez)
Related vulnerabilities
Krytyczne RCE przez deserialization w Veeam Backup & Replication
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
RCE w Veeam Backup & Replication dla uwierzytelnionego użytkownika domenowego
RCE dla uwierzytelnionego użytkownika domenowego w Veeam Backup & Replication
RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)