CVE-2024-40710 – This CVE describes multiple high-severity vulne... (How to Fix)

Q: What is the severity of CVE-2024-40710?

CVE-2024-40710 has a CVSS score of 8.8 (HIGH). This CVE describes multiple high-severity vulnerabilities in Veeam Backup & Replication that allow authenticated low-privileged users to execute remote code as the service account and extract sensitive credentials. Organizations using affected Veeam versions with any low-privileged user accounts are at risk of complete system compromise.

📋 TL;DR

This CVE describes multiple high-severity vulnerabilities in Veeam Backup & Replication that allow authenticated low-privileged users to execute remote code as the service account and extract sensitive credentials. Organizations using affected Veeam versions with any low-privileged user accounts are at risk of complete system compromise.

💻 Affected Systems

Products:

Veeam Backup & Replication

Versions: 12.1.2.172 and earlier versions

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with low-privileged user accounts are vulnerable. The service runs with SYSTEM privileges by default.

📦 What is this software?

Veeam Backup \& Replication by Veeam

View all CVEs affecting Veeam Backup \& Replication →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with service account privileges, credential theft enabling lateral movement, and potential ransomware deployment across backup infrastructure.

🟠

Likely Case

Attackers with initial low-privileged access escalate to service account, steal backup credentials, and exfiltrate sensitive data from backup repositories.

🟢

If Mitigated

Limited to credential exposure without code execution if proper network segmentation and least privilege are implemented.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, exposed Veeam consoles with any low-privileged accounts create significant risk.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can easily exploit these vulnerabilities to gain service account privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated low-privileged access but is straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.2.172 (build 12.1.2.172)

Vendor Advisory: https://www.veeam.com/kb4649

Restart Required: Yes

Instructions:

1. Download cumulative patch from Veeam KB4649. 2. Stop all backup jobs. 3. Install patch on all Veeam servers. 4. Restart services/servers as prompted. 5. Verify patch installation in Help > About.

🔧 Temporary Workarounds

Remove low-privileged accounts

windows

Temporarily remove or disable all low-privileged user accounts from Veeam Backup & Replication console

Use Veeam console: Users and Roles > Remove non-essential accounts

Network segmentation

windows

Restrict access to Veeam console to trusted administrative networks only

Windows Firewall: New Inbound Rule restricting 9392/TCP, 9393/TCP to admin subnets

🧯 If You Can't Patch

Implement strict network segmentation - isolate Veeam infrastructure from general network access
Apply principle of least privilege - remove all non-essential low-privileged accounts immediately

🔍 How to Verify

Check if Vulnerable:

Check Veeam version in console: Help > About. If version is 12.1.2.172 or earlier, system is vulnerable.

Check Version:

In Veeam console: Help > About displays version information

Verify Fix Applied:

Verify version shows 12.1.2.172 (build 12.1.2.172) or later in Help > About. Check patch installation logs at C:\ProgramData\Veeam\Backup\PatchLogs.

📡 Detection & Monitoring

Log Indicators:

Unusual service account activity in Windows Event Logs
Multiple failed authentication attempts followed by successful low-privileged login
Unexpected process creation by Veeam service account

Network Indicators:

Unusual outbound connections from Veeam server on non-standard ports
Multiple authentication attempts to Veeam console from single source

SIEM Query:

source="Windows Security" EventCode=4624 LogonType=3 AccountName="VEEAM*" AND source="Windows Security" EventCode=4688 ParentProcessName="*Veeam*"

📊 Metadata

CVE ID: CVE-2024-40710

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: September 7, 2024

Last Updated: May 1, 2025

🔗 References

https://www.veeam.com/kb4649 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40710, you might also want to check these: