A group of vulnerabilities in Veeam Backup Enterprise Manager (VBEM), a part of the popular Veeam Backup & Replication package, were patched by Veeam.
Background:
Veeam Backup Enterprise Manager, An administrative console is intended to assist in managing the tasks associated with Veeam Backup & Replication throughout the backup infrastructure of an organization. Threat actors find the application appealing because it manages critical backup procedures.
A group of vulnerabilities in Veeam Backup Enterprise Manager (VBEM), a part of the popular Veeam Backup & Replication package, were patched by Veeam. Since one of these vulnerabilities could allow unauthenticated attackers to take over user accounts, it has been classified as critical.
Given that Veeam’s solutions are widely used by large international corporations—including 74% of the Forbes Global 2000—such as Shell, Airbus, Volkswagen Group, and Fujifilm, this disclosure is very important.
CVE-2024-29849:
According to the CVSS, the critical vulnerability, identified as CVE-2024-29849, has a severity score of 9.8. Veeam Backup Enterprise Manager (VBEM), which is not turned on by default, is impacted. Veeam Backup Enterprise Manager’s non-default activation does offer some mitigation, as the risk is limited to environments where this component is activated.
Unauthenticated attackers can access the VBEM web interface by using CVE-2024-29849 to log in as any user, including administrators. A total takeover of the backup and replication management system might result from this. An attacker possessing this kind of access could potentially alter backups or get access to confidential information managed by the backup manager.
Other Vulnerabilities:
Veeam’s security alert outlines three additional vulnerabilities in Veeam Backup Enterprise Manager in addition to the serious CVE-2024-29849.
These include the high-severity risks CVE-2024-29850 and CVE-2024-29851, as well as the less serious CVE-2024-29852 that deals with backup session log exposure.
CVE-2024-29850 (CVSS: 8.8):
Through the NTLM relay, there is a risky path for account takeover due to this high-severity vulnerability. This vulnerability might enable attackers to intercept and transmit authentication sessions in environments that use NTLM authentication, giving them unauthorized access to the VBEM system.
CVE-2024-29851 (CVSS: 7.2):
If the service account that VBEM uses is set up to utilize credentials other than the default Local System account, a high-privileged user can obtain the NTLM hash of the VBEM service account using another worrisome vulnerability called CVE-2024-29851.
Active exploitation:
We have not discovered a proof of concept (PoC) attack for this vulnerability, and there have been no reports of active exploitation in the wild. However, threat actors might use CVE-2024-29849 to carry out malicious activities including obtaining unauthorized access to private information, altering data, or interfering with operations. Several additional Veeam vulnerabilities have been exploited in the past, such as CVE-2023-27532, which was leveraged by ransomware threat actors in 2023 to target critical infrastructure, even though this particular application is not mentioned in CISA’s Known Exploited Vulnerabilities Catalog.
Recommendations:
Upgrading to Veeam Backup Enterprise Manager version 12.1.2.172, which fixes CVE-2024-29849, is highly advised. To prevent any operational impact, kindly adhere to your organization’s patching and testing policies.
| Affected Product | Affected Versions | Fixed Version |
| Veeam Backup Enterprise Manager | 5.0, 6.1, 6.5, 7.0, 8.0, 9.0, 9.5, 10, 11, 12, 12.1 | 12.1.2.172 |
Users can reduce the risk by halting and turning off the “VeeamEnterpriseManagerSvc” and the “VeeamRESTSvc” if upgrading right away is not feasible. Make sure the “Veeam Backup Server RESTful API Service” is not terminated.
Furthermore, since Backup Enterprise Manager is an optional add-on program, Veeam advises uninstalling it from your system if it is not in use.
References:
- https://www.veeam.com/kb4581