Vulnerabilities in Veeam software could allow attackers to execute code remotely

Veeam Software, a leading provider of backup, recovery, and data management solutions, has announced the discovery and remediation of several critical and critical vulnerabilities in multiple products.
These vulnerabilities pose potential risks to users of Veeam Backup & Replication, Veeam ONE, Veeam Agent for Linux, Veeam Service Provider Console, and other Veeam products.
Key vulnerabilities and their impact
CVE-2024-40711 is a critical vulnerability ((CVSS score 9.8)) that allows unauthenticated remote code execution (RCE).
CVE-2024-40713 and CVE-2024-40710 are high-level vulnerabilities that allow low-privileged users to modify multifactor authentication (MFA) settings and execute remote code.
Additionally, CVE-2024-39718 allows low-privileged users to remotely delete files with a CVSS score of 8.1. Other vulnerabilities include issues with TLS certificate validation and local privilege escalation.

1. Veeam Agent for Linux– CVE-2024-40709: High-level vulnerability allowing elevation of local privileges to root reported via HackerOne.
2. Veeam ONE – CVE-2024-42024 and CVE-2024-42019: Critical vulnerabilities allowing remote code execution and accessing NTLM hashes with CVSS scores of 9.1 and 9.0, respectively. Additional vulnerabilities include code execution with Administrator privileges and HTML injection.
3. Veeam Service Provider Console – CVE-2024-38650 and CVE-2024-39714: Critical vulnerabilities that allow remote code execution via NTLM hashes with a CVSS score of 9.9 and arbitrary file uploads.
4. Veeam Backup for Nutanix AHV and other plugins – CVE-2024-40718: Elevated SSRF vulnerability allowing elevation of local privilege.
   Solutions and updates
   Veeam addressed these vulnerabilities in the latest software updates and urged all users to update to the following versions:

• Veeam Backup & Replication: Version 12.2 (build 12.2.0.334)
• Veeam Agent for Linux: Version 6.2 (build 6.2.0.101)
• Veeam ONE: Version 12.2 (build 12.2.0.4093)
• Veeam Service Provider Console: Version 8.1 (build 8.1.0.21377)
• Veeam Backup for Nutanix AHV and other plugins: Latest versions included with Veeam Backup & Replication 12.2
  •
  Users are advised to update to the latest versions to reduce potential security risks. Veeam continues to prioritize security and encourages customers to be vigilant and proactive in applying updates.