Full Report
Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability. [...]
Analysis Summary
The provided article mentions a **new Veeam RCE flaw** that allows domain users to compromise backup servers, but it **does not explicitly provide the CVE identifier or CVSS score for this *new* flaw**.
However, the article references a *previously disclosed* critical RCE flaw affecting Veeam Backup & Replication (VBR): **CVE-2024-40711**, which is currently being exploited by ransomware groups. I will structure the summary around the *critical known vulnerability mentioned* (CVE-2024-40711) because details for the "New Veeam RCE flaw" described in the headline are missing from the provided text excerpt.
***
# Vulnerability: Critical RCE in Veeam Backup & Replication (Referencing CVE-2024-40711)
## CVE Details
- CVE ID: **CVE-2024-40711** (Referenced in the context of ongoing exploitation)
- CVSS Score: **Information Not Available** in the provided text. (Note: Past VBR RCEs were critical/high severity.)
- CWE: Information Not Available
## Affected Systems
- Products: **Veeam Backup & Replication (VBR)**
- Versions: **Specific vulnerable versions are not listed** in this excerpt. The vulnerability is noted as being actively exploited.
- Configurations: Requires the attacker to be a **domain user** to exploit the flaw against the backup server.
## Vulnerability Description
The vulnerability is a **Remote Code Execution (RCE)** flaw impacting Veeam Backup & Replication (VBR) servers. When combined with the prerequisite of having domain user privileges, an attacker can achieve arbitrary code execution on the vulnerable backup infrastructure. This type of flaw allows deep compromise of backup data and systems.
## Exploitation
- Status: **Exploited in the wild**. Specifically mentioned as being used by **Frag ransomware**, and previously by **Akira** and **Fog** ransomware attacks, as well as the **Cuba ransomware** gang and the **FIN7** threat group.
- Complexity: **Information Not Available**, but exploitation by multiple sophisticated groups suggests established exploit methods exist.
- Attack Vector: **Network** (Implied, as domain user access is the necessary prerequisite, often achieved via compromised workstations or lateral movement).
## Impact
- Confidentiality: **High** (Potential access to all backed-up sensitive data).
- Integrity: **High** (Ability to modify or delete backups).
- Availability: **High** (Ability to disable or encrypt backup infrastructure, leading to potential data loss).
## Remediation
### Patches
- **Information Not Available** in the provided text excerpt for either the new flaw or CVE-2024-40711. Users should consult the official Veeam security advisories for the latest patch information related to CVE-2024-40711 and any newer disclosures.
### Workarounds
- **Information Not Available** in the provided text excerpt.
## Detection
- **Indicators of Compromise (IoCs):** Detection should focus on unusual remote access attempts or command execution originating from domain user accounts toward the Veeam Backup Server, particularly targeting post-exploitation activities related to ransomware deployment (e.g., mass file encryption or deletion activity).
- **Detection Methods and Tools:** Monitoring Veeam server logs for unexpected process execution or privilege escalation attempts originating from user context.
## References
- Vendor Advisory (General context): hxxps://www.veeam.com/company/press-release/veeam-the-worlds-1-leader-in-data-resilience-launches-new-enterprise-capabilities-in-veeam-data-platform-v12-3-including-microsoft-entra-id-protection.html
- Vulnerability Context 1: hxxps://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-flaw-in-backup-and-replication-software/
- Vulnerability Context 2 (Exploitation): hxxps://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/