CVE-2024-42024: 
Veeam ONE vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-42024) has been identified in Veeam ONE versions 12.1.0.3208 and earlier builds. This vulnerability allows an attacker with knowledge of the Veeam ONE Agent service account credentials to execute arbitrary code on the machine where the agent is installed (Veeam KB, Security Online).

The vulnerability has been assigned a CVSS v3.1 score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, but needs high privileges for exploitation. The vulnerability affects the Veeam ONE Agent service and could lead to complete system compromise (HackerOne).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code on the machine hosting the Veeam ONE Agent with the privileges of the service account. This could potentially lead to complete system takeover and compromise of the monitored environment (Security Online).

Veeam has released a patch to address this vulnerability in Veeam ONE v12.2 (build 12.2.0.4093). Organizations are strongly urged to upgrade to this version immediately as there are no workarounds available for this vulnerability (Veeam KB).