"Veeam Patches Critical Vulnerabilities in Enterprise Products"

Veeam recently announced patches for multiple vulnerabilities in its enterprise products, including critical severity bugs that could lead to remote code execution (RCE).  The company resolved six flaws in its Backup & Replication product, including a critical severity issue that could be exploited remotely, without authentication, to execute arbitrary code.  Tracked as CVE-2024-40711, the security defect has a CVSS score of 9.8.  Veeam also patched CVE-2024-40710 (CVSS score of 8.8), which refers to multiple related high-severity vulnerabilities that could lead to RCE and sensitive information disclosure.  The remaining four high-severity flaws could lead to the modification of multi-factor authentication (MFA) settings, file removal, the interception of sensitive credentials, and local privilege escalation.  The company noted that all security defects impact Backup & Replication version 12.1.2.172 and earlier 12 builds and were addressed with the release of version 12.2 (build 12.2.0.334) of the solution.  This week, the company also announced that Veeam ONE version 12.2 (build 12.2.0.4093) addresses six vulnerabilities.  Two critical severity flaws could allow attackers to execute code remotely on the systems running Veeam ONE (CVE-2024-42024) and access the NTLM hash of the Reporter Service account (CVE-2024-42019).  The remaining four issues, all "high severity," could allow attackers to execute code with administrator privileges (authentication is required), access saved credentials (possession of an access token is required), modify product configuration files, and perform HTML injection.

SecurityWeek reports: "Veeam Patches Critical Vulnerabilities in Enterprise Products"