Unauthenticated RCE via deserialization in Unknown Component
CVE-2024-40711 Published on September 7, 2024
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Known Exploited Vulnerability
This Veeam Backup and Replication Deserialization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
The following remediation steps are recommended / required by November 7, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2024-40711 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2024-40711
stack.watch emails you whenever new vulnerabilities are published in Veeam Backup Replication or Veeam Backup Replication. Just hit a watch button to start following.
Affected Versions
Veeam Backup and Recovery:- Version 12.1.2, <= 12.1.2 is affected.
- Before and including 12.2.0.334 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.