CVE-2020-10915: 
Veeam ONE Agent vulnerability analysis and mitigation

This vulnerability (CVE-2020-10915) affects VEEAM One Agent version 9.5.4.4587, allowing remote attackers to execute arbitrary code without requiring authentication. The vulnerability was discovered in April 2020 by Michael Zanetta & Edgar Boda-Majer from Bugscale working with Trend Micro Zero Day Initiative (ZDI Advisory).

The specific flaw exists within the HandshakeResult method of the VEEAM One Agent. The vulnerability stems from improper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3 score of 9.8 (Critical) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (ZDI Advisory, Veeam KB).

An attacker can leverage this vulnerability to execute code in the context of the service account on affected installations. The vulnerability affects both the VEEAM ONE server and its managed hosts, potentially allowing for widespread exploitation across internal networks and possibly corporate laptops (AttackerKB).

Veeam has released hotfixes for affected versions: Veeam ONE 10 (build 10.0.0.750) and Veeam ONE 9.5 Update 4a (build 9.5.4.4587). The hotfix must be installed on the Veeam ONE server, after which Veeam ONE Agents on the Veeam Backup & Replication servers will be updated automatically. New deployments of Veeam ONE version 10 and version 9.5 Update 4a installed using ISO images downloaded after April 15, 2020, are not vulnerable (Veeam KB).