CVE-2024-33671 – This vulnerability in Veritas Backup Exec allow... (How to Fix)

Q: What is the severity of CVE-2024-33671?

CVE-2024-33671 has a CVSS score of 7.7 (HIGH). This vulnerability in Veritas Backup Exec allows attackers to delete arbitrary protected files by exploiting the Deduplication Multi-threaded Streaming Agent. It affects all Backup Exec installations before version 22.2 HotFix 917391. This could lead to data loss or service disruption.

📋 TL;DR

This vulnerability in Veritas Backup Exec allows attackers to delete arbitrary protected files by exploiting the Deduplication Multi-threaded Streaming Agent. It affects all Backup Exec installations before version 22.2 HotFix 917391. This could lead to data loss or service disruption.

💻 Affected Systems

Products:

Veritas Backup Exec

Versions: All versions before 22.2 HotFix 917391

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the Backup Exec environment and exploitation of the Deduplication Multi-threaded Streaming Agent component.

📦 What is this software?

Backup Exec by Veritas

View all CVEs affecting Backup Exec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of critical backup data, rendering recovery impossible and causing permanent data loss.

🟠

Likely Case

Targeted deletion of important backup files, disrupting recovery operations and causing operational impact.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, with potential for detection before significant damage.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires some level of access to the Backup Exec environment and understanding of the deduplication agent functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.2 HotFix 917391

Vendor Advisory: https://www.veritas.com/support/en_US/security/VTS24-002

Restart Required: Yes

Instructions:

1. Download HotFix 917391 from Veritas support portal. 2. Stop all Backup Exec services. 3. Apply the hotfix following Veritas installation instructions. 4. Restart Backup Exec services.

🔧 Temporary Workarounds

Restrict Access to Backup Exec

windows

Limit network and user access to Backup Exec servers to only authorized administrators.

Monitor File Deletion Events

windows

Enable auditing and monitoring for file deletion events in backup directories.

auditpol /set /subcategory:"File System" /success:enable /failure:enable

🧯 If You Can't Patch

Isolate Backup Exec servers from general network access
Implement strict access controls and monitor all file deletion activities

🔍 How to Verify

Check if Vulnerable:

Check Backup Exec version in Administration Console under Help > About. If version is earlier than 22.2 HotFix 917391, system is vulnerable.

Check Version:

Check Help > About in Backup Exec Administration Console

Verify Fix Applied:

Verify version shows 22.2 HotFix 917391 or later in Administration Console.

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in backup directories
Unusual activity in Deduplication Multi-threaded Streaming Agent logs

Network Indicators:

Unusual connections to Backup Exec deduplication ports
Anomalous network traffic patterns to backup servers

SIEM Query:

EventID=4663 AND ObjectType="File" AND AccessMask="0x10000" AND ProcessName="*Backup Exec*"

📊 Metadata

CVE ID: CVE-2024-33671

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-73

Published: April 26, 2024

Last Updated: June 30, 2025

🔗 References

https://www.veritas.com/support/en_US/security/VTS24-002#H1 Vendor Advisory
https://www.veritas.com/support/en_US/security/VTS24-002#H1 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33671, you might also want to check these: