Attackers can log into Veaam Backup Enterprise Manager without authentication. Veeam emphasizes that your backups are protected from threats.

Veeam reports four vulnerabilities in Backup Enterprise Manager, a complementary tool for backup & replication. CVE-2024-29849 in particular is attracting a lot of attention due to its CVSS score of 9.8 out of 10. The vulnerability allows intruders to freely access the web-based management console without having to authenticate.

Attackers can also exploit CVE-2024-29850 (8,8) to bypass the NLTM authentication protocol or CVE-2024-29851 (7,2) to capture hashes. The fourth and final vulnerability, CVE-2024-29852, allows access to user session logs and is considered a rather limited threat (2.7).

Backups out of danger

Creating sufficient backups is a golden rule for your company’s cyber resilience. Should something go wrong, your company will recover much faster if your data can be restored quickly. Attackers know this only too well and often target not only your active data, but also your backups. A vulnerability in backup software is therefore a legitimate cause for concern.

Veeam tries to reassure customers that attackers who manage to break into Backup Enterprise Manager won’t be able to easily tamper with your backups. “Due to our immutable backups and four-eyes authorization, the attacker will receive an error message if they try to delete backups,” the company told The Register.

The backup provider recommends that you install the available patches as soon as possible. Version 12.1.2.172 closes the gaps in Backup Enterprise Manager. If for some reason it is not possible to perform the update immediately, it is recommended that you temporarily stop the tool or remove it from your Veeam environment if the tool is not actively used.