Veeam: Security Vulnerabilities
A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially leading to Denial of Service (DoS) and data integrity issues. The vulnerability is caused by improper permission checks in methods accessed via management services.
CVSS Score
7.4
EPSS Score
0.001
Published
2024-12-04
A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete any file on the system with service account privileges. The vulnerability is caused by an insufficient blacklist during the deserialization process.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-12-04
A vulnerability in Veeam Backup & Replication Enterprise Manager has been identified, which allows attackers to perform authentication bypass. Attackers must be able to perform Man-in-the-Middle (MITM) attack to exploit this vulnerability.
CVSS Score
7.7
EPSS Score
0.002
Published
2024-11-07
A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widgets that allows HTML injection.
CVSS Score
7.3
EPSS Score
0.002
Published
2024-09-07
An improper access control vulnerability allows an attacker with valid access tokens to access saved credentials.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-09-07
An incorrect permission assignment vulnerability allows an attacker to modify product configuration files.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-09-07
An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-09-07
A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.
CVSS Score
9.1
EPSS Score
0.006
Published
2024-09-07
A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.
CVSS Score
8.8
EPSS Score
0.006
Published
2024-09-07
CVE-2024-40711
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Known exploited
CVSS Score
9.8
EPSS Score
0.562
Published
2024-09-07