Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Veeam Vulnerability Leads to Authentication Bypass

Veeam Backup Enterprise Manager update resolves multiple vulnerabilities, including a critical authentication bypass.

Veeam on Tuesday rolled out a Backup & Replication update to address four vulnerabilities, including a critical-severity Backup Enterprise Manager bug leading to authentication bypass.

The critical flaw, tracked as CVE-2024-29849 (CVSS score of 9.8), “allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user,” Veeam explains in an advisory.

According to Veeam, the security defect impacts Backup & Replication product versions 5.0 to 12.1 and was addressed with the release of Backup Enterprise Manager version 12.1.2.172, which is packaged with Backup & Replication version 12.1.2 (build 12.1.2.172).

The release also resolves a high-severity issue allowing attackers to take over accounts via NTLM relay attacks. The vulnerability is tracked as CVE-2024-29850 (CVSS score of 8.8).

CVE-2024-29851 (CVSS score of 7.2), another high-severity bug resolved with the latest Backup & Replication release, “allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account”.

The software update also resolves a low-severity Backup Enterprise Manager flaw allowing high-privileged users to read backup session logs.

Backup Enterprise Manager instances installed on dedicated servers can be updated to version 12.1.2.172 without having to upgrade Veeam Backup & Replication immediately.

If upgrading is not possible, Veeam recommends halting the Backup Enterprise Manager. The software can be installed if not in use.

Advertisement. Scroll to continue reading.

The latest Veeam Backup & Replication release also includes fixes for a high-severity bug (CVE-2024-29853) in Veeam Agent for Windows (VAW) that could be exploited by a local attacker to elevate their privileges.

The issue impacts Veeam Agent for Windows versions 2.0 to 6.1 and was addressed with the release of version 6.1.2 (build 6.1.2.134).

Veeam makes no mention of any of these vulnerabilities being exploited in attacks. However, users are advised to update their installations as soon as possible, as threat actors have been known to target Veeam bugs.

Related: Critical Vulnerabilities Expose Veeam ONE Software to Code Execution

Related: PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw

Related: Serious Vulnerability Patched in Veeam Data Backup Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights