Veeam, a prominent provider of backup and replication solutions, has issued a critical security warning to its customers regarding a vulnerability in the Veeam Backup Enterprise Manager (VBEM) that could potentially allow unauthorized access to user accounts.
VBEM serves as a web-based platform that facilitates administrators in managing Veeam Backup & Replication installations through a centralized web console. This tool is instrumental in overseeing backup operations and restoration tasks across an organization’s backup infrastructure and extensive deployments.
It is crucial to highlight that VBEM is not activated by default, and not all setups are at risk of exploitation through the identified vulnerability known as CVE-2024-29849, which has been assigned a CVSS base score of 9.8/10 by Veeam.
The security flaw in Veeam Backup Enterprise Manager could potentially enable an unauthorized individual to log into the web interface as any user, as explained by the company. To address this issue, Veeam recommends users to update to VBEM version 12.1.2.172, the version that includes the necessary patch. In cases where immediate upgrading is not feasible, users can mitigate the risk by halting and deactivating the VeeamEnterpriseManagerSvc and VeeamRESTSvc services.
For environments where VBEM is not actively utilized, an alternative approach suggested by Veeam is to uninstall the software using provided instructions to eliminate the potential attack surface.
Furthermore, Veeam has also addressed two additional high-severity vulnerabilities within VBEM. One of these vulnerabilities permits account takeover through NTLM relay (CVE-2024-29850), while the other allows high-privileged users to pilfer the NTLM hash of the Veeam Backup Enterprise Manager service account if it is not configured to operate under the default Local System account (CVE-2024-29851).
This recent warning from Veeam comes on the heels of previous security incidents involving the company’s products. In a notable instance in March 2023, Veeam patched a critical vulnerability (CVE-2023-27532) in the Backup & Replication software following reports of exploitation by threat actors associated with the FIN7 group. Subsequently, this vulnerability was leveraged in ransomware attacks attributed to various threat groups targeting critical infrastructure and IT organizations.
As part of its ongoing efforts to enhance security, Veeam has released hotfixes to address critical flaws in its ONE IT infrastructure monitoring and analytics platform. These vulnerabilities, with CVSS base scores of 9.8 and 9.9/10, could potentially allow threat actors to execute remote code and extract NTLM hashes from vulnerable servers.
Veeam’s suite of products is widely adopted, with over 450,000 customers globally, including a significant presence among the Global 2,000 companies.