Veeam Backup & Replication RCE via lowprivileged role
CVE-2024-40710 Published on September 7, 2024
A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2024-40710
Want to know whenever a new CVE is published for Veeam Backup Replication? stack.watch will email you.
Affected Versions
Veeam Backup and Recovery:- Version 12.1.2, <= 12.1.2 is affected.
- Version 12, <= 12.1.2.172 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.