Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues

Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.

The list of shortcomings is below -

• CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.

• CVE-2024-42024 (CVSS score: 9.1) - A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine

• CVE-2024-42019 (CVSS score: 9.0) - A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account

• CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server

• CVE-2024-39714 (CVSS score: 9.9) - A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server

In addition, the September 2024 updates address 13 other high-severity flaws that could permit privilege escalation, multi-factor authentication (MFA) bypass, and execute code with elevated permissions.

All the issues have been addressed in the below versions -

• Veeam Backup & Replication 12.2 (build 12.2.0.334)
• Veeam Agent for Linux 6.2 (build 6.2.0.101)
• Veeam ONE v12.2 (build 12.2.0.4093)
• Veeam Service Provider Console v8.1 (build 8.1.0.21377)
• Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299

With flaws in Veeam software Users becoming a lucrative target for threat actors to serve ransomware, users are advised to update to the latest version as soon as possible to mitigate potential threats.