cbcvebase.
CVE-2024-29849
published 2024-05-22

CVE-2024-29849: Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
16.67%
96.6th percentile
Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

Affected

3 ranges
VendorProductVersion rangeFixed in
veeambackup_replication>= 11.0.1.1261 P20240304 < 11.0.1.1261 P2024030411.0.1.1261 P20240304
veeambackup_replication>= 12.1.2.172 < 12.1.2.17212.1.2.172
veeamveeam_backup_replication< 12.1.2.17212.1.2.172

Detection & IOCsextracted from sources · hover to see the quote

processVeeam.Backup.Enterprise.RestAPIService.exe
port9398
  • Monitor for inbound unauthenticated requests to TCP port 9398 (Veeam REST API) containing crafted VMware SSO tokens with attacker-controlled SSO service URLs in the XML payload.
  • Detect outbound SOAP/HTTP requests from the Veeam Backup Enterprise Manager host to external or unexpected URLs, which may indicate the service is being redirected to an attacker-controlled validation server.
  • Alert on successful logins to the VBEM web interface from untrusted or external IP addresses, especially those immediately followed by enumeration of file servers, which is used as proof-of-exploitation in the public PoC.
  • ·The vulnerability exists in Veeam Backup Enterprise Manager (VBEM); patched in version 12.1.2.172. Instances not yet upgraded remain fully exploitable by unauthenticated remote attackers.
  • ·A public proof-of-concept exploit is available, significantly lowering the bar for exploitation. No in-the-wild exploitation was confirmed at time of reporting, but this may change rapidly.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.