Critical Unauthenticated RCE Vulnerability in Veeam Backup & Replication (CVE-2024-40711) Under Active Exploitation

CVE-2024-40711 is a critical vulnerability discovered in Veeam Backup & Replication software, allowing for unauthenticated remote code execution (RCE). This vulnerability arises from the deserialization of untrusted data, enabling attackers to execute arbitrary code remotely without any user interaction or privileges. Recent exploits have targeted organizations globally, posing significant risks to sectors such as financial services, healthcare, and critical infrastructure. Immediate action is required to mitigate this threat and secure affected systems.

Targeted Sectors and Countries

The active exploitation of CVE-2024-40711 has notably targeted several key sectors and countries, increasing the urgency for mitigation efforts.

Affected Sectors:

• Financial Services

• Healthcare

• Critical Infrastructure

Affected Countries:

• United States

• United Kingdom

• Germany

• Australia

Technical Information

• Vulnerability ID: CVE-2024-40711

• Severity: Critical

• Vector: Network

• Attack Type: Remote

• Privileges Required: None

• User Interaction: None

Description

CVE-2024-40711 is a deserialization vulnerability in the Veeam Backup & Replication software. The vulnerability allows an attacker to exploit the deserialization process by sending a specially crafted, malicious payload to the Veeam Backup & Replication service. This payload can cause the software to execute arbitrary code without requiring any authentication, thus compromising the affected system entirely. The vulnerability is particularly dangerous as it can be exploited remotely, allowing attackers to gain full control over the affected systems, manipulate data, and potentially propagate the attack within the network.

The deserialization of untrusted data is a common issue that can lead to severe consequences when exploited properly. In this case, the vulnerability's critical nature is underscored by its ability to bypass authentication mechanisms, granting attackers a direct avenue to compromise systems.

Exploit Details

The exploitation mechanism involves sending a serialized object through the network to the Veeam Backup & Replication service. When the service attempts to deserialize the object, it inadvertently executes the embedded malicious code. This results in a remote code execution (RCE) that can be leveraged to install malware, exfiltrate data, or pivot to other systems within the network.

Technical Analysis:

• Attack Vector: Remote exploitation through network access.

• Impact: Complete system compromise.

• Affected Systems: Systems running vulnerable versions of Veeam Backup & Replication.

• Potential Damage: Data theft, system manipulation, lateral movement within the network.

CVE-2024-40711 - Exploitation in the Wild

There have been multiple reports and confirmations of active exploitation of CVE-2024-40711 in the wild. Attackers have been observed leveraging this vulnerability to gain unauthorized access to sensitive systems, particularly targeting sectors such as finance, healthcare, and critical infrastructure.

Indicators of Compromise (IOCs):

• Suspicious Network Traffic: Increased and unusual traffic directed towards the Veeam Backup & Replication service.

• Unexpected System Behavior: Unexplained changes in system configurations, unauthorized access to data, or anomalous process executions.

References to Exploitation

• GitHub - Pre-Auth Exploit for CVE-2024-40711

• HelpNetSecurity - CVE-2024-40711 Exploited

• Censys - CVE-2024-40711

APT Groups Using This Vulnerability

While specific Advanced Persistent Threat (APT) groups have not been explicitly identified as exploiting CVE-2024-40711, the tactics, techniques, and procedures (TTPs) used in exploiting this vulnerability align with those of well-known threat actors. The exploitation patterns are consistent with those observed in attacks orchestrated by nation-state actors and sophisticated cybercriminal organizations.

MITRE ATT&CK Techniques:

• T1190: Exploit Public-Facing Application

• T1059: Command and Scripting Interpreter

• T1071: Application Layer Protocol

Affected Product Versions

Veeam Backup & Replication versions 12.1.1.56 and earlier are affected by CVE-2024-40711. It is crucial for organizations using these versions to apply the necessary updates and patches to mitigate this vulnerability.

Workaround and Mitigation

To protect against the exploitation of CVE-2024-40711, the following mitigation strategies are recommended:

1. Update Software: Immediately update Veeam Backup & Replication to the latest version where the vulnerability has been patched.

2. Network Segmentation: Implement network segmentation to isolate critical systems and services, reducing the potential for lateral movement.

3. Intrusion Detection Systems: Deploy and monitor IDS/IPS to detect any anomalous activities indicating exploitation attempts.

4. Regular Audits: Conduct regular security audits and vulnerability assessments to ensure systems are not susceptible to known vulnerabilities.

References

• NVD - CVE-2024-40711

• CVE Details - CVE-2024-40711

• Pre-Auth Exploit for CVE-2024-40711 - GitHub

• HelpNetSecurity - CVE-2024-40711 Exploited

• Veeam Vulnerability CVE-2024-40711 - The Stack

• Multiple Vulnerabilities in Veeam Backup & Replication - Rapid7 Blog

• Veeam Backup Response - Watchtower Labs

About Rescana

At Rescana, we specialize in providing Continuous Threat and Exposure Management (CTEM) solutions to help organizations identify, assess, and mitigate cybersecurity threats. Our platform enables you to stay ahead of potential vulnerabilities and ensure your systems are secure.

For further assistance or any questions regarding this report or other cybersecurity issues, please contact us at ops@rescana.com.