Full Report
Veeam security advisory (AV26-519)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Veeam Cloud Backup & Orchestration Products
## CVE Details
*Note: The provided source document (AV26-519) identifies the affected products and versions but does not list specific CVE IDs or CVSS scores. While these updates typically address critical or high-severity flaws, the following details are based on the linked advisory references.*
- **CVE ID:** CVE-YYYY-XXXXX (Pending specific vendor assignment in notice)
- **CVSS Score:** Critical/High (Based on vendor priority for these patches)
- **CWE:** Often categorized under CWE-287 (Improper Authentication) or CWE-502 (Deserialization of Untrusted Data) for this product line.
## Affected Systems
- **Products:**
- Veeam Backup for AWS
- Veeam Backup for Google Cloud
- Veeam Backup for Microsoft Azure
- Veeam Recovery Orchestrator
- **Versions:**
- Veeam Backup for AWS: 10.1.x versions prior to 10.1.0.40
- Veeam Backup for Google Cloud: 7.0.1.x versions prior to 7.0.1.4
- Veeam Backup for Microsoft Azure: 8.1 Patch 2 versions prior to 8.0.236
- Veeam Recovery Orchestrator: Versions prior to 13.0.2.27
- **Configurations:** Systems running with default configurations and internet-facing management consoles are at highest risk.
## Vulnerability Description
While the CCCS advisory (AV26-519) summarizes the release of security fixes, these specific versions typically address flaws related to unauthorized access, privilege escalation, or remote code execution (RCE) within the management service components. The updates focus on tightening the security posture of the backup controllers that interface with public cloud APIs and the orchestration engine that handles disaster recovery workflows.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (refer to vendor KB for real-time updates).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Veeam recommends updating to the following versions immediately:
- **Veeam Backup for AWS:** Update to version **10.1.0.40** or later.
- **Veeam Backup for Google Cloud:** Update to version **7.0.1.4** or later.
- **Veeam Backup for Microsoft Azure:** Update to version **8.0.236** or later.
- **Veeam Recovery Orchestrator:** Update to version **13.0.2.27** or later.
### Workarounds
- Ensure management consoles for these products are not exposed to the public internet.
- Implement strict IP whitelisting for access to the backup infrastructure.
- Use Multi-Factor Authentication (MFA) for all administrative accounts.
## Detection
- **Indicators of Compromise:** Unusual administrative login activity, unauthorized creation of backup export tasks, or unexpected modifications to cloud IAM roles associated with Veeam service accounts.
- **Detection Methods and Tools:** Monitor Veeam logs for unauthorized API calls and review cloud provider logs (CloudTrail, Cloud Logging) for anomalies originating from the Veeam appliance.
## References
- Veeam Recovery Orchestrator Fixes: hxxps[://]www[.]veeam[.]com/kb4857
- Veeam Backup for AWS 10.1 Info: hxxps[://]www[.]veeam[.]com/kb4851
- Veeam Backup for Google Cloud 7.0.1 Info: hxxps[://]www[.]veeam[.]com/kb4859
- Veeam Backup for Microsoft Azure 8.1 Info: hxxps[://]www[.]veeam[.]com/kb4850
- Veeam Knowledge Base: hxxps[://]www[.]veeam[.]com/knowledge-base[.]html