CVE-2024-40713: 
Veeam Backup & Replication vulnerability analysis and mitigation

A vulnerability in Veeam Backup & Replication that allows users with low-privileged roles to alter Multi-Factor Authentication (MFA) settings and bypass MFA. The vulnerability, identified as CVE-2024-40713, was discovered and disclosed on September 4, 2024, affecting Veeam Backup & Replication version 12.1.2.172 and all earlier version 12 builds (Veeam KB).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, low complexity to exploit, and low privileges, but requires no user interaction. The vulnerability is classified under CWE-287 (Improper Authentication) (NVD).

The vulnerability allows attackers with low-privileged access to bypass Multi-Factor Authentication protections by altering MFA settings, potentially compromising the security of the backup system and its protected data. This could lead to unauthorized access to sensitive backup data and system configurations (Rapid7 Blog).

The vulnerability has been fixed in Veeam Backup & Replication version 12.2 (build 12.2.0.334). Organizations using affected versions should upgrade to the latest version immediately to mitigate the risk. Unsupported product versions, while not tested, should be considered vulnerable and upgraded as soon as possible (Veeam KB).