High-Severity Vulnerability Identified in Veeam Backup Enterprise Manager

A new and critical vulnerability has been identified in the Veeam Backup Enterprise Manager (VBEM) system. This vulnerability could allow attackers to gain unauthorized access to the system, posing a risk to the confidentiality and integrity of backup data.

Vulnerability Details:

This vulnerability, labeled CVE-2024-40715, presents a high risk in Veeam Backup Enterprise Manager (VBEM). According to the CVSS v3.1 criteria, the overall security score is 7.7, classifying it as a high-severity vulnerability.

The primary threat of this vulnerability is that attackers can bypass authentication. By using the Man-in-the-Middle (MITM) method, they can gain unauthorized access to the system, potentially compromising data or modifying backup configurations. Successful exploitation of this vulnerability presents a significant risk to the integrity and security of backup data.

Affected Products:

• Veeam Backup Enterprise Manager (VBEM) version 12.2.0.334 and earlier versions are vulnerable, requiring updates or security patches.

Security Recommendations:

To protect against this vulnerability, it is advised to either update the existing version or install the necessary security patches.

1. For Veeam Backup Enterprise Manager version 12.2.0.334:
   • Apply the KB4682 security patches provided by Veeam. These patches help mitigate the vulnerability.
2. For Veeam Backup Enterprise Manager version 12.1.2.172 and earlier versions:
   • Download the latest Veeam Backup & Replication ISO file and upgrade to version 12.2.0.334. This approach eliminates vulnerabilities present in older versions.

UZCERT recommends that all users apply these measures as quickly as possible. Additionally, it is advised to perform security updates regularly to ensure security.