Security flaws in Veeam products require immediate attention
Users of Veeam Backup Enterprise Manager are urged to update to the latest version following the discovery of several critical security flaws.
The most severe, tracked as CVE-2024-29849 with a CVSS score of 9.8, could allow an unauthenticated attacker to log in to the web interface as any user.
Additionally, three other vulnerabilities have been disclosed:
CVE-2024-29850 (CVSS score: 8.8) – allows account takeover via NTLM relay.
CVE-2024-29851 (CVSS score: 7.2) – enables a privileged user to steal NTLM hashes of a service account.
CVE-2024-29852 (CVSS score: 2.7) – allows a privileged user to read backup session logs.
All these flaws have been addressed in version 12.1.2.172. Veeam noted that deploying Veeam Backup Enterprise Manager is optional, and environments without it installed are not affected.
Recently, Veeam also resolved:
A local privilege escalation flaw in Veeam Agent for Windows (CVE-2024-29853, CVSS score: 7.2).
A critical remote code execution bug in Veeam Service Provider Console (CVE-2024-29212, CVSS score: 9.9), attributed to unsafe deserialization methods that could be exploited under certain conditions.
Additionally, security flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have been previously exploited by threat actors such as FIN7 and Cuba for deploying malicious payloads, including ransomware. Therefore, it is imperative that users promptly patch these vulnerabilities to protect their systems.
