CVE-2024-42455: 
Veeam Backup & Replication vulnerability analysis and mitigation

CVE-2024-42455 is a vulnerability discovered in Veeam Backup & Replication that was disclosed on December 3, 2024. The vulnerability allows a low-privileged user with an assigned role in the Users and Roles settings to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This vulnerability affects Veeam Backup & Replication versions 12.2.0.334 and earlier version 12 builds (Veeam KB).

The vulnerability is characterized by insecure deserialization during the processing of serialized temporary file collections. It has been assigned a CVSS v3.1 Base Score of 7.1 (High) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and is caused by an insufficient blacklist during the deserialization process (NVD).

When exploited, this vulnerability enables an attacker to delete any file on the system with service account privileges. The impact primarily affects system integrity and availability, as indicated by the CVSS metrics showing high availability impact (A:H) and low integrity impact (I:L), while having no direct impact on confidentiality (C:N) (Rapid7).

The vulnerability has been fixed in Veeam Backup & Replication version 12.3 (build 12.3.0.310). As a temporary mitigation measure until systems can be upgraded, Veeam recommends removing untrusted and unnecessary users from the Users and Roles settings on the backup server. Organizations should review all users assigned a Role within Veeam Backup & Replication and assess internal necessity, removing access for users who do not strictly need it (Veeam KB).