On September 4, 2024, Veeam released a security bulletin announcing that they have fixed several vulnerabilities affecting various Veeam products. Arctic Wolf has highlighted five of these vulnerabilities, which are classified as critical.
| Vulnerability | CVSS | Affected Product | Description |
| CVE-2024-40711 | 9.8 | Veeam Backup and Replication | Enables an unauthenticated attacker to achieve remote code execution (RCE). |
| CVE-2024-42024 | 9.1 | Veeam ONE | Allows an attacker with Veeam ONE Agent service account credentials to achieve RCE on the machine where the Veeam ONE Agent is installed. |
| CVE-2024-42019 | 9.0 | Veeam ONE | An attacker can exploit this vulnerability to obtain the NTLM hash of the Veeam Reporter Service account, but it requires user interaction and data from Veeam Backup & Replication. |
| CVE-2024-38650 | 9.9 | Veeam Service Provider Console | A vulnerability that allows access to the NTLM hash of a service account on the VSPC server by a low-privileged attacker. |
| CVE-2024-39714 | 9.9 | Veeam Service Provider Console | Enables RCE on the VSPC server by permitting a low-privileged user to upload arbitrary files to the server. |
Arctic Wolf has not observed any exploitation of these vulnerabilities in the wild and has not identified any publicly available proof of concept (PoC) exploit code. Veeam Backup & Replication, in particular, has been a frequent target for ransomware groups due to its critical role in backup and recovery. Given this historical targeting, threat actors may try to reverse engineer the patches and develop exploits to take advantage of these vulnerabilities in the near future.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Veeam Backup and Replication | 12.1.2.172 and all earlier version 12 builds. | 12.2 (build 12.2.0.334) |
| Veeam ONE | 12.1.0.3208 and all earlier version 12 builds | v12.2 (build 12.2.0.4093) |
| Veeam Service Provider Console | 8.0.0.19552 and all earlier version 8 builds. | v8.1 (build 8.1.0.21377) |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
