CVE-2024-40711: 
Veeam Backup & Replication vulnerability analysis and mitigation

A deserialization of untrusted data vulnerability (CVE-2024-40711) was discovered in Veeam Backup & Replication software versions 12.1.2.172 and earlier. The vulnerability allows an unauthenticated attacker to achieve remote code execution (RCE). This critical vulnerability was reported by Florian Hauser with CODE WHITE GmbH and was disclosed on September 4, 2024 (Veeam KB, Censys Report).

The vulnerability stems from an insecure deserialization issue involving the System.Runtime.Remoting.ObjRef .NET class type, which is a known deserialization gadget. The vulnerability received a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (Veeam KB).

The vulnerability enables attackers to gain full control of affected systems, manipulate data, and potentially move laterally within networks. Given Veeam's role in enterprise backup systems, this vulnerability is particularly concerning as it could be exploited by ransomware operators to compromise backup systems and create double-extortion scenarios (Censys Report).

Veeam has released security patches addressing CVE-2024-40711 in version 12.2.0.334. Users are strongly advised to upgrade their systems to this version immediately. The patch includes fixes for this vulnerability along with several other security issues (Veeam KB).

The vulnerability has garnered significant attention due to Veeam's widespread use in enterprise environments and its critical role in backup systems. CODE WHITE GmbH, who discovered the vulnerability, noted on social media that they withheld technical details to prevent immediate abuse by ransomware gangs (Watchtowr Labs).