CVE-2024-42452
📋 TL;DR
A privilege escalation vulnerability in Veeam Backup & Replication allows authenticated low-privileged users to remotely start agents in server mode and obtain credentials, leading to system-level access and file upload capabilities. This affects organizations using Veeam Backup & Replication with multiple user accounts. Attackers can achieve full system compromise through this authentication bypass.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal all backup data, deploy ransomware, and pivot to other systems in the environment.
Likely Case
Privilege escalation from low-privileged user to SYSTEM-level access, credential theft, and unauthorized file uploads to the backup server.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though credential exposure still poses significant risk.
🎯 Exploit Status
Requires authenticated access but the exploit chain is straightforward once initial access is obtained. No public exploit code is available as of current knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.2.0.334
Vendor Advisory: https://www.veeam.com/kb4693
Restart Required: No
Instructions:
1. Download Veeam Backup & Replication 12.2.0.334 from the official portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Verify the installation completes successfully.
🔧 Temporary Workarounds
Restrict User Permissions
allLimit low-privileged user access to only essential functions and implement strict least privilege principles.
Network Segmentation
allIsolate Veeam Backup & Replication servers from general network access and restrict communication to authorized management systems only.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with Veeam Backup & Replication servers
- Enable detailed logging and monitoring for suspicious authentication and privilege escalation attempts
- Regularly rotate credentials and implement multi-factor authentication where possible
- Conduct frequent security audits of user permissions and access patterns
🔍 How to Verify
Check if Vulnerable:
Check the Veeam Backup & Replication version in the console under Help > About. If version is below 12.2.0.334, the system is vulnerable.Check Version:
In Veeam Backup & Replication console: Navigate to Help > About to view version information.Verify Fix Applied:
After patching, verify the version shows 12.2.0.334 or higher in Help > About. Test that low-privileged users cannot start agents in server mode or access credential-related functions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized attempts to start agents in server mode
- Unexpected privilege escalation events
- Suspicious credential access or export activities
- Failed authentication attempts followed by successful agent startups
Network Indicators:
- Unusual remote procedure calls to Veeam services
- Unexpected file uploads to backup servers
- Anomalous network traffic patterns from low-privileged accounts
SIEM Query:
source="veeam_logs" AND (event_type="agent_start" OR event_type="credential_access") AND user_privilege="low" AND result="success"