CVE-2020-10915
published 2020-04-22CVE-2020-10915: This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.62%
99.7th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | one | — | — |
| veeam | one_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for exploitation of the HandshakeResult() method in the Veeam ONE Agent service — a deliberately induced handshake failure triggers deserialization of attacker-controlled data. ↗
- →No authentication is required to reach the vulnerable endpoint; alert on unauthenticated inbound connections to the Veeam ONE Agent service port. ↗
- →Alert on unexpected child processes or code execution spawned under the Veeam ONE Agent service account context, which is the execution target of the deserialization payload. ↗
- →The Metasploit module path 'exploits/windows/misc/veeam_one_agent_deserialization' can be used as a signature string in IDS/EDR telemetry to identify known exploit framework usage against this CVE. ↗
- ·Veeam continued distributing version 10.0.0.750 after patching it in-place; version number alone is insufficient to determine patch status — the actual binary/hotfix level must be verified. ↗
- ·Two distinct hotfix version thresholds exist across release lines (9.x and 10.x); detection rules based on version must account for both: vulnerable below 9.5.5.4587 (9.x line) and below 10.0.1.750 (10.x line). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157529/Veeam-ONE-Agent-.NET-Deserialization.htmlhttps://www.veeam.com/kb3144https://www.zerodayinitiative.com/advisories/ZDI-20-546/http://packetstormsecurity.com/files/157529/Veeam-ONE-Agent-.NET-Deserialization.htmlhttps://www.veeam.com/kb3144https://www.zerodayinitiative.com/advisories/ZDI-20-546/
2020-04-22
Published