CVE-2021-35971
📋 TL;DR
This vulnerability in Veeam Backup and Replication allows remote attackers to execute arbitrary code via insecure .NET remoting deserialization. It affects all organizations running vulnerable versions of Veeam Backup and Replication 10 or 11. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Veeam Backup and Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full control over the Veeam server, potentially compromising backup data, deploying ransomware, or pivoting to other systems in the network.
Likely Case
Attacker executes arbitrary code with SYSTEM privileges on the Veeam server, allowing data theft, backup manipulation, or installation of persistence mechanisms.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Veeam server itself, though backup integrity could still be compromised.
🎯 Exploit Status
Exploitation is straightforward once the vulnerability details are understood. The CVSS 9.8 score indicates trivial exploitation with high impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 10.0.1.4854 P20210609 or Version 11.0.0.837 P20210507
Vendor Advisory: https://www.veeam.com/kb4126
Restart Required: Yes
Instructions:
1. Download the cumulative patch from Veeam's website. 2. Stop all Veeam services. 3. Run the patch installer. 4. Restart the server. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable .NET Remoting
windowsDisable the vulnerable .NET remoting service to prevent exploitation
Stop-Service -Name "Veeam*"
Set-NetFirewallRule -DisplayName "Veeam*" -Action Block
Network Segmentation
allRestrict network access to Veeam servers to only trusted management systems
🧯 If You Can't Patch
- Isolate Veeam servers from internet and untrusted networks using firewall rules
- Implement strict access controls and monitor for suspicious activity on Veeam servers
🔍 How to Verify
Check if Vulnerable:
Check Veeam version in the console or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Veeam*"} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Veeam Backup and Replication*"} | Select-Object VersionVerify Fix Applied:
Verify version is 10.0.1.4854 P20210609 or higher for v10, or 11.0.0.837 P20210507 or higher for v11📡 Detection & Monitoring
Log Indicators:
- Unusual .NET remoting connections in Windows Event Logs
- Suspicious process creation from Veeam services
- Failed authentication attempts to Veeam services
Network Indicators:
- Unexpected connections to Veeam default ports (9392, 9393)
- Malformed .NET remoting traffic
SIEM Query:
source="windows" AND (process_name="veeam*" AND parent_process!="veeam*") OR (event_id=4688 AND process_name="powershell.exe" AND parent_process="veeam*")