CVE-2024-40711
Veeam Backup and Replication Deserialization Vulnerability - [Actively Exploited]
Description
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
INFO
Published Date :
Sept. 7, 2024, 5:15 p.m.
Last Modified :
Dec. 20, 2024, 4:35 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://www.veeam.com/kb4649 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40711
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.0 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Upgrade to Veeam Backup and Replication version 12.2.0.334 or later.
Public PoC/Exploit Available at Github
CVE-2024-40711 has a 8 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-40711.
| URL | Resource |
|---|---|
| https://www.veeam.com/kb4649 | Vendor Advisory |
| https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ | Exploit Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-40711 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-40711
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Defensive toolkit for auditing, hardening, and monitoring Veeam Backup & Replication against the critical .NET Remoting deserialization RCE (CVE-2024-40711). Includes PowerShell scripts for version audit & forensic log collection, Splunk/Elastic SIEM queries, and PDF runbooks for patching and incident response.
PowerShell C++ C# Java Kotlin Rust
Links of research blogs published by me.
This is my starred repositories including the description for each tool. Makes search/filter over them easier.
A collection of Vulnerability Research and Reverse Engineering writeups.
CVE-2024-40711 是 Veeam Backup & Replication 软件中的一个严重漏洞,允许未经身份验证的攻击者远程执行代码。
CVE-2024-40711-exp
C#
Pre-Auth Exploit for CVE-2024-40711
C#
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-40711 vulnerability anywhere in the article.
-
Daily CyberSecurity
Fog Ransomware Group Exposed: Inside the Tools, Tactics, and Victims of a Stealthy Threat
Image: DFIR Report’s Threat Intel Group In a new investigation, The DFIR Report’s Threat Intel Group has shed light on the growing operations of the Fog ransomware group, revealing a sophisticated ars ... Read more
-
Cyber Security News
Hackers Attacking Network Edge Devices to Compromise SMB Organizations
Small and medium-sized businesses (SMBs) are increasingly falling victim to cyberattacks that specifically target network edge devices, according to recent findings. These critical devices—including f ... Read more
-
Daily CyberSecurity
FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
The initial ransom note dropped that uses DOGE-related references to troll | Image: Trend Micro Trend Micro has identified a recent campaign involving FOG ransomware, demonstrating the adaptability of ... Read more
-
Daily CyberSecurity
High-Severity XXE Vulnerability Found in NAKIVO Backup & Replication
A high-severity security vulnerability has been identified in NAKIVO Backup & Replication, a popular data protection solution. The vulnerability, classified as an XML External Entity (XXE) issue and t ... Read more
-
Cybersecurity News
Veeam Releases Patch for High-Risk SSRF Vulnerability CVE-2025-23082 in Azure Backup Solution
Veeam, a prominent player in data management and backup solutions, has recently disclosed a critical vulnerability in its Veeam Backup for Microsoft Azure product. Identified as CVE-2025-23082, this S ... Read more
-
Cybersecurity News
Thousands of SonicWall Devices Remain Vulnerable to CVE-2024-40766
In September 2024, a critical vulnerability in SonicWall NSA devices, tracked as CVE-2024-40766, was disclosed. Since then, threat actors Akira and Fog have reportedly exploited this flaw to infiltrat ... Read more
-
Cybersecurity News
Veeam Backup & Replication Vulnerabilities Exposed: High-Severity Flaws Put Data at Risk
Veeam Software, a prominent provider of backup, recovery, and data management solutions, has released a security update to address multiple vulnerabilities in its Veeam Backup & Replication software. ... Read more
-
Cybersecurity News
CVE-2024-42448 (CVSS 9.9): Critical RCE Vulnerability in Veeam VSPC
Veeam Software, a prominent provider of backup and disaster recovery solutions, has released urgent security updates to address two critical vulnerabilities in its Service Provider Console (VSPC). One ... Read more
-
BleepingComputer
Veeam warns of critical RCE bug in Service Provider Console
Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, descri ... Read more
-
europa.eu
Cyber Brief 24-12 - November 2024
Cyber Brief (November 2024)December 3, 2024 - Version: 1.0TLP:CLEARExecutive summaryWe analysed 232 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, Germany anno ... Read more
-
Cybersecurity News
Researchers Uncover XenoRAT’s New Tactics Leveraging Excel XLL Files and Advanced Obfuscation
Hunt researchers have discovered a novel deployment of XenoRAT, an open-source remote access tool (RAT), leveraging Excel XLL files and advanced obfuscation methods. Known for targeting gamers and pos ... Read more
-
The Hacker News
Warning: VMware vCenter and Kemp LoadMaster Flaws Under Active Exploitation
Vulnerability / Data Security Now-patched security flaws impacting Progress Kemp LoadMaster and VMware vCenter Server have come under active exploitation in the wild, it has emerged. The U.S. Cybersec ... Read more
-
Cybersecurity News
Ghostscript Update Patches Six Critical Vulnerabilities: Code Execution, Buffer Overflow, and Path Traversal Risks
Popular document rendering engine Ghostscript has released a critical security update addressing multiple vulnerabilities, some of which could lead to remote code execution.Ghostscript, a widely used ... Read more
-
TheCyberThrone
Frag Ransomware Dissection
A new ransomware strain named Frag ransomware has been discovered during the series of cyberattacks involving exploiting a vulnerability in Veeam backup servers, tracked as CVE-2024-40711This newly o ... Read more
-
Cybersecurity News
Unpatched Epson Devices at Risk: CVE-2024-47295 Allows Easy Hijacking
A newly discovered security vulnerability, CVE-2024-47295, affecting multiple SEIKO EPSON products, could allow attackers to take control of devices with administrative privileges. This issue arises f ... Read more
-
Cybersecurity News
Frag Ransomware: A New Threat Exploits Veeam Vulnerability (CVE-2024-40711)
The Frag ransom note | Image: SophosSophos X-Ops recently uncovered Frag ransomware in a series of cyberattacks exploiting a vulnerability in Veeam backup servers, designated CVE-2024-40711. This newl ... Read more
-
BleepingComputer
Critical Veeam RCE bug now used in Frag ransomware attacks
After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. Code White security researcher Fl ... Read more
-
Cybersecurity News
Fortinet Warns of Actively Exploited Flaw in FortiManager: CVE-2024-47575 (CVSS 9.8)
Fortinet has issued a security advisory for its FortiManager platform, addressing a critical vulnerability—CVE-2024-47575—which has been actively exploited in the wild. This vulnerability, rated at CV ... Read more
-
The Hacker News
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets ... Read more
-
Cybersecurity News
Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS
The attack chain | Image: S-RMThe notorious Akira ransomware group continues to adapt and refine its methods, solidifying its position as one of the most significant threats in the cyber landscape. Ac ... Read more
The following table lists the changes that have been made to the
CVE-2024-40711 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Changed Reference Type https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ No Types Assigned https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ Exploit, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ -
Initial Analysis by [email protected]
Oct. 18, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://www.veeam.com/kb4649 No Types Assigned https://www.veeam.com/kb4649 Vendor Advisory Added CWE NIST CWE-502 Added CPE Configuration OR *cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:* versions from (including) 12.0.0.1420 up to (excluding) 12.2.0.334 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Oct. 18, 2024
Action Type Old Value New Value Added Due Date 2024-11-07 Added Vulnerability Name Veeam Backup and Replication Deserialization Vulnerability Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Date Added 2024-10-17 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Sep. 09, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-502 -
CVE Received by [email protected]
Sep. 07, 2024
Action Type Old Value New Value Added Description A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). Added Reference HackerOne https://www.veeam.com/kb4649 [No types assigned] Added CVSS V3 HackerOne AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H