CVE-2024-40717
📋 TL;DR
This vulnerability in Veeam Backup & Replication allows authenticated low-privileged users to achieve remote code execution by modifying backup jobs to run malicious scripts. Attackers can schedule these jobs to execute almost immediately, potentially compromising the entire backup server. Organizations using affected Veeam versions with role-based access control are at risk.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the backup server leading to data exfiltration, ransomware deployment across backup infrastructure, and lateral movement to connected systems.
Likely Case
Backup server compromise allowing attackers to access sensitive backup data, disrupt backup operations, and potentially deploy ransomware.
If Mitigated
Limited impact if proper access controls and network segmentation are implemented, though risk remains for authorized users.
🎯 Exploit Status
Requires authenticated access and knowledge of job configuration. Scripts must be placed on accessible network shares.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.2.172
Vendor Advisory: https://www.veeam.com/kb4693
Restart Required: No
Instructions:
1. Download patch from Veeam support portal. 2. Run installer on Veeam Backup Server. 3. Follow on-screen instructions. 4. Verify installation completes successfully.
🔧 Temporary Workarounds
Restrict Script Execution
allDisable ability to run scripts from network shares in job configurations
Navigate to Veeam console > Options > Network > Disable 'Run scripts from network shares'
Role Restriction
allTemporarily remove script execution permissions from vulnerable roles
Edit role permissions in Veeam console to remove 'Edit job' and 'Schedule job' capabilities
🧯 If You Can't Patch
- Implement strict network segmentation to isolate backup servers from general network access
- Apply principle of least privilege - review and restrict user roles to minimum necessary permissions
🔍 How to Verify
Check if Vulnerable:
Check Veeam version in console: Help > About. If version is below 12.1.2.172, system is vulnerable.Check Version:
In Veeam console: Help > About displays version informationVerify Fix Applied:
After patching, verify version shows 12.1.2.172 or higher in Help > About.📡 Detection & Monitoring
Log Indicators:
- Unusual job modifications by low-privileged users
- Frequent job schedule changes
- Script execution from unusual network locations
Network Indicators:
- Unexpected SMB connections to backup server from user workstations
- Unusual outbound connections from backup server post-job execution
SIEM Query:
source="veeam_logs" AND (event_type="job_modified" OR event_type="script_executed") AND user_role IN ("Backup Operator", "Restore Operator", "Tape Operator")