Veeam Vulnerability (CVE-2024-40711) Exploited by Ransomware
Summary
OEM | Veeam |
Severity | Critical |
Date of Announcement | 2024-10-17 |
CVSS Score | 9.8 |
CVE | CVE-2024-40711 |
CWE | CWE-502 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
Veeam Backup & Replication software has been found to contain a critical vulnerability (CVE-2024-40711) that is actively being exploited by ransomware actors to distribute Akira and Fog ransomware. This vulnerability allows remote code execution without authentication, which can result in complete system compromise. Attackers are using this security gap to establish unauthorized accounts with administrative rights and spread ransomware on systems that lack protection.
Vulnerability Name | CVE ID | Product Affected | Impact | CVSS Score |
Veeam Backup & Replication Critical Code Execution Vulnerability | CVE-2024-40711 | Veeam Backup & Replication | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-40711 | Veeam Backup & Replication versions prior to 12.2.0.334 | CVE-2024-40711 is a deserialization of untrusted data flaw that can be exploited via a URI /trigger on port 8000. Once exploited, the vulnerability triggers Veeam.Backup.MountService.exe to create a local account named "point" with administrative and Remote Desktop User privileges. Attackers then use this access to deploy ransomware such as Akira and Fog, and in some cases, exfiltrate data using tools like Rclone. | Remote code execution, creation of unauthorized admin accounts, ransomware deployment (Akira and Fog), data exfiltration. |
Recommendations
- Update Veeam Backup & Replication to version 12.2.0.334 or later, which addresses this vulnerability.
- Ensure VPN gateways are running supported software versions and have MFA enabled.
Threat Indicators and Monitoring
- Look for the account “point” or similar with elevated privileges.
- Monitor for unexpected instances of Veeam.Backup.MountService.exe creating or executing net.exe.