cbcvebase.
CVE-2024-40711
published 2024-09-07

CVE-2024-40711: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-07
Exploited in the wild
EPSS
88.19%
99.7th percentile
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_recovery12.1.2 – 12.1.2
veeamveeam_backup_replication>= 12.0.0.1420 < 12.2.0.33412.2.0.334

Detection & IOCsextracted from sources · hover to see the quote

processrclone
otherlocal account named 'point'
otherlocal account named 'point2'
  • Correlate CVE-2024-40711 exploitation attempts with inbound connections from compromised VPN gateways lacking MFA — initial access vector observed in all four Akira/Fog/Frag cases.
  • Track threat activity cluster 'STAC 5881' as the attribution label for CVE-2024-40711 exploitation leading to Frag, Akira, and Fog ransomware deployments.
  • Alert on rclone execution on Veeam Backup & Replication servers or Hyper-V hosts post-exploitation, as it was used for data exfiltration in Fog ransomware incidents.
  • ·CVE-2024-40711 is exploitable without authentication; no credentials are required for initial RCE, making internet-exposed Veeam VBR servers immediately at risk.
  • ·Frag ransomware operators (STAC 5881) use Living Off The Land binaries (LOLBins), making post-exploitation activity harder to detect with signature-based tools.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.