- 248/2024
- Critical
Veeam has released a security update to fix several vulnerabilities across multiple Veeam products.
The addressed vulnerabilities could allow the attacker to upload malicious files, obtain sensitive information, manipulate data and files, obtain credentials, gain elevated privileges, execute malicious commands, and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. Veeam VSPC Server Privilege Escalation Vulnerability (CVE-2024-38650):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. Veeam Server Remote Code Execution Vulnerability (CVE-2024-39714):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
Affected products:
- Veeam Backup & Replication.
- Veeam ONE.
- Veeam Service Provider Console.
- Veeam Agent for Linux.
- Veeam Backup for Nutanix AHV.
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.
Vulnerabilities
- CVE-2024-38650
- CVE-2024-38651
- CVE-2024-39714
- CVE-2024-39715
- CVE-2024-39718
- CVE-2024-40709
- CVE-2024-40710
- CVE-2024-40711
- CVE-2024-40712
- CVE-2024-40713
- CVE-2024-40714
- CVE-2024-40718
- CVE-2024-42019
- CVE-2024-42020
- CVE-2024-42021
- CVE-2024-42022
- CVE-2024-42023
- CVE-2024-42024
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.