CVE-2024-40712: 
Veeam Backup & Replication vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-40712) was discovered in Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds. The vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE) (Veeam KB, NVD).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 7.8 (High), and vector string CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, low complexity to exploit, and low privileges, with no user interaction needed. The impact affects confidentiality, integrity, and availability, all at high levels (Rapid7, Veeam KB).

If successfully exploited, the vulnerability allows an attacker to escalate their privileges from a low-privileged account to higher privileges on the affected system. This could potentially give attackers elevated access to sensitive system resources and data (NVD).

The vulnerability has been fixed in Veeam Backup & Replication version 12.2 (build 12.2.0.334). Organizations using affected versions should upgrade to this latest version immediately to mitigate the risk. Unsupported versions were not tested but should be considered vulnerable and upgraded as soon as possible (Veeam KB).