Veeam Backup & Replication, a critical data storage and backup solution used by organizations worldwide, has been found to contain multiple high-risk vulnerabilities. These vulnerabilities allow attackers with low-privileged roles to exploit improper access controls, escalate privileges, execute arbitrary code, and exfiltrate sensitive data.
Combined with recent reports from CISA and cybersecurity experts warning of ransomware groups targeting vulnerabilities in Veeam, these vulnerabilities pose a significant risk to organizations.
Key Vulnerabilities
- Description: Low-privileged users can perform Remote Code Execution (RCE) by modifying existing backup jobs to run pre- and post-scripts stored on a network share. The scripts execute with elevated privileges, and attackers can schedule the job to run immediately, allowing arbitrary code execution on the server.
- Impact: Full system compromise via RCE.
- CVSS v3: 8.8 (High)
- Description: A low-privileged user can exploit configuration update methods to modify the trusted client certificate used for authentication. This allows the attacker to gain unauthorized access, call privileged methods, and start critical services.
- Impact: Unauthorized access and privilege escalation.
- CVSS v3: 8.8 (High)
- Description: Attackers can remotely start an agent in server mode and gain system-level access to upload malicious files with elevated privileges.
- Impact: Full system compromise and privilege escalation.
- CVSS v3: 8.8 (High)
The other identified vulnerabilities are:
Threat Context
The vulnerabilities in Veeam Backup & Replication reflect an ongoing trend of attackers targeting backup systems to cripple recovery efforts and maximize damage. Backup platforms are particularly lucrative targets for ransomware operators, as they hold critical organizational data. CISA recently issued an advisory confirming the exploitation of a similar Veeam vulnerability, CVE-2024-40711, by ransomware groups, highlighting the urgency of patching these vulnerabilities.
Exploitation of backup systems can lead to double-extortion attacks, where threat actors encrypt backups and threaten to leak sensitive data. Organizations that fail to address these vulnerabilities may face prolonged downtime, financial loss, and reputational damage.
Suggested Mitigations
- Patch Immediately: Update to the latest version of Veeam Backup & Replication as per Veeam’s advisory.
- Audit Permissions: Restrict access to sensitive configurations and backup jobs, and enforce the principle of least privilege for all user accounts.
- Enable Multi-Factor Authentication (MFA): Protect all accounts with MFA to reduce the risk of unauthorized access.
As ransomware groups increasingly target backup platforms, organizations must act swiftly to patch known vulnerabilities, enforce access controls, and monitor systems for suspicious activity.
Stay ahead of these threats by signing up to receive the latest vulnerability updates from the OP Innovate Research Team straight to your inbox.
Stay Secure. Stay Informed.
