CVE-2024-40714: 
Veeam Backup & Replication vulnerability analysis and mitigation

An improper certificate validation vulnerability (CVE-2024-40714) was discovered in TLS certificate validation that affects Veeam Backup & Replication version 12.1.2.172 and all earlier version 12 builds. The vulnerability was disclosed on September 7, 2024, and allows an attacker on the same network to intercept sensitive credentials during restore operations (NVD, Rapid7).

The vulnerability is classified as a high-severity issue with a CVSS v3.1 base score of 8.3. The CVSS vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating that the vulnerability requires network access, has high attack complexity, needs no privileges, requires user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is specifically related to improper certificate validation (CWE-295) during TLS certificate validation processes (Veeam KB).

If exploited, the vulnerability allows an attacker positioned on the same network to intercept sensitive credentials specifically during restore operations. This could potentially lead to unauthorized access to backup data and compromise of sensitive information (Veeam KB).

The vulnerability has been fixed in Veeam Backup & Replication version 12.2 (build 12.2.0.334). Users are strongly advised to upgrade to this version to protect against potential exploitation. Unsupported product versions should be considered vulnerable and should be upgraded immediately (Veeam KB).