CVE-2024-29849: Critical Veeam Vulnerability Leads to Authentication Bypass
Veeam Backup Enterprise Manager, An administrative console is intended to assist in managing the tasks associated with Veeam Backup & Replication throughout the backup infrastructure of an organization. Threat actors find the application appealing because it manages critical backup procedures.
A group of vulnerabilities in Veeam Backup Enterprise Manager (VBEM), a part of the popular Veeam Backup & Replication package, were patched by Veeam. Since one of these vulnerabilities could allow unauthenticated attackers to take over user accounts, it has been classified as critical.
Given that Veeam’s solutions are widely used by large international corporations—including 74% of the Forbes Global 2000—such as Shell, Airbus, Volkswagen Group, and Fujifilm, this disclosure is very important.
CVE-2024-29849
According to the CVSS, the critical vulnerability, identified as CVE-2024-29849, has a severity score of 9.8. Veeam Backup Enterprise Manager (VBEM), which is not turned on by default, is impacted. Veeam Backup Enterprise Manager’s non-default activation does offer some mitigation, as the risk is limited to environments where this component is activated.
Unauthenticated attackers can access the VBEM web interface by using CVE-2024-29849 to log in as any user, including administrators. A total takeover of the backup and replication management system might result from this. An attacker possessing this kind of access could potentially alter backups or get access to confidential information managed by the backup manager.
Other Vulnerabilities
Veeam’s security alert outlines three additional vulnerabilities in Veeam Backup Enterprise Manager in addition to the serious CVE-2024-29849.
These include the high-severity risks CVE-2024-29850 and CVE-2024-29851, as well as the less serious CVE-2024-29852 that deals with backup session log exposure.
CVE-2024-29850 (CVSS: 8.8)
Through the NTLM relay, there is a risky path for account takeover due to this high-severity vulnerability. This vulnerability might enable attackers to intercept and transmit authentication sessions in environments that use NTLM authentication, giving them unauthorized access to the VBEM system.
CVE-2024-29851 (CVSS: 7.2)
If the service account that VBEM uses is set up to utilize credentials other than the default Local System account, a high-privileged user can obtain the NTLM hash of the VBEM service account using another worrisome vulnerability called CVE-2024-29851.
Active Exploitation
We have not discovered a proof of concept (PoC) attack for this vulnerability, and there have been no reports of active exploitation in the wild. However, threat actors might use CVE-2024-29849 to carry out malicious activities including obtaining unauthorized access to private information, altering data, or interfering with operations. Several additional Veeam vulnerabilities have been exploited in the past, such as CVE-2023-27532, which was leveraged by ransomware threat actors in 2023 to target critical infrastructure, even though this particular application is not mentioned in CISA’s Known Exploited Vulnerabilities Catalog.
Recommendations
| Affected Product | Affected Versions | Fixed Version |
| Veeam Backup Enterprise Manager | 5.0, 6.1, 6.5, 7.0, 8.0, 9.0, 9.5, 10, 11, 12, 12.1 | 12.1.2.172 |
References
https://www.veeam.com/kb4581