CVE-2024-40711
published 2024-09-07CVE-2024-40711: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-07
Exploited in the wild
EPSS
88.19%
99.7th percentile
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | backup_and_recovery | 12.1.2 – 12.1.2 | — |
| veeam | veeam_backup_replication | >= 12.0.0.1420 < 12.2.0.334 | 12.2.0.334 |
Detection & IOCsextracted from sources · hover to see the quote
- →Correlate CVE-2024-40711 exploitation attempts with inbound connections from compromised VPN gateways lacking MFA — initial access vector observed in all four Akira/Fog/Frag cases. ↗
- →Track threat activity cluster 'STAC 5881' as the attribution label for CVE-2024-40711 exploitation leading to Frag, Akira, and Fog ransomware deployments. ↗
- →Alert on rclone execution on Veeam Backup & Replication servers or Hyper-V hosts post-exploitation, as it was used for data exfiltration in Fog ransomware incidents. ↗
- ·CVE-2024-40711 is exploitable without authentication; no credentials are required for initial RCE, making internet-exposed Veeam VBR servers immediately at risk. ↗
- ·Frag ransomware operators (STAC 5881) use Living Off The Land binaries (LOLBins), making post-exploitation activity harder to detect with signature-based tools. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c76v-gjqc-j462: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE)
ghsa_unreviewed·2024-09-07
CVE-2024-40711 [CRITICAL] CWE-502 GHSA-c76v-gjqc-j462: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE)
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
VulnCheck
Veeam Backup and Replication Deserialization Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-40711 [CRITICAL] CWE-502 Veeam Backup and Replication Deserialization Vulnerability
Veeam Backup and Replication Deserialization Vulnerability
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
Affected: Veeam Backup & Replication
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortiguard.com/outbreak-alert/akira-ransomware; https://vulnera.com/newswire/critical-remote-code-execution-vulnerability-detected-in-veeam-backup-replication-software/; https://www.ptsecurity.com/ru-ru/research/analytics/dajdzhest-trendovyh-uyazvimostej-sentyabr-2024-goda/; https://infosec.exchange/@SophosXOps/113284564225476186; https://x.com/SophosXOps/statu
CISA
Veeam Backup and Replication Deserialization Vulnerability
cisa·2024-10-17·CVSS 9.8
CVE-2024-40711 [CRITICAL] CWE-502 Veeam Backup and Replication Deserialization Vulnerability
Vulnerability: Veeam Backup and Replication Deserialization Vulnerability
Affected: Veeam Backup & Replication
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.veeam.com/kb4649 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40711
Remediation Due Date: 2024-11-07
No detection rules found.
Nuclei
Veeam Backup & Replication - Unauthenticated
nuclei·CVSS 9.8
CVE-2024-40711 [CRITICAL] Veeam Backup & Replication - Unauthenticated
Veeam Backup & Replication - Unauthenticated
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Template:
id: CVE-2024-40711
info:
name: Veeam Backup & Replication - Unauthenticated
author: rootxharsh,iamnoooob,DhiyaneshDK
severity: critical
description: |
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
impact: |
Unauthenticated attackers can exploit deserialization vulnerabilities to achieve remote code execution on Veeam Backup & Replication servers.
remediation: |
Update Veeam Backup & Replication to a patched version addressing CVE-2024-40711.
reference:
- https://x.com/codewhitesec/status/1831720125747069389?s=46
- h
Bleepingcomputer
New Veeam vulnerability exposes backup servers to RCE attacks
blogs_bleepingcomputer·2026-06-09·CVSS 9.4
CVE-2026-44963 [CRITICAL] New Veeam vulnerability exposes backup servers to RCE attacks
## New Veeam vulnerability exposes backup servers to RCE attacks
## Sergiu Gatlan
Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in version 12.3.2.4854 .
While any domain user with low privileges can exploit this vulnerability, the flaw only impacts Veeam Backup & Replication installations that are joined to a domain.
"A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesda
Checkpoint
23rd February – Threat Intelligence Report
blogs_checkpoint·2026-02-23
CVE-2023-27532 23rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrus
Bleepingcomputer
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
blogs_bleepingcomputer·2026-02-21
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
## Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
## Lawrence Abrams
Article updated at the bottom with additional technical details about this campaign.
Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.
A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls.
Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.
Moses says the compromised
Bleepingcomputer
New Veeam vulnerabilities expose backup servers to RCE attacks
blogs_bleepingcomputer·2026-01-07·CVSS 7.8
CVE-2025-59470 [HIGH] New Veeam vulnerabilities expose backup servers to RCE attacks
## New Veeam vulnerabilities expose backup servers to RCE attacks
## Sergiu Gatlan
Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds.
"This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," Veeam explained in a Tuesday advisory.
However, the information technology company adjusted its rating to high severity because it can only be exploited by attackers with the Backup or Tape Operator roles.
"The Backup and Tape Operator roles are c
Bleepingcomputer
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
blogs_bleepingcomputer·2025-11-13
CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs
## Lawrence Abrams
US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.
An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk files.
The advisory includes new indicators of compromise and tactics observed through FBI investigations and third-party reporting as recent as November 2025.
## Encrypting Nutanix VMs in attacks
The advisory warns that in June 2025 Akira actors started to encrypt disk files for Nutanix
Bleepingcomputer
New Veeam RCE flaw lets domain users hack backup servers
blogs_bleepingcomputer·2025-06-17·CVSS 9.8
CVE-2025-23121 [CRITICAL] New Veeam RCE flaw lets domain users hack backup servers
## New Veeam RCE flaw lets domain users hack backup servers
## Sergiu Gatlan
Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a dom
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations | Qualys
#### Table of Contents
- Who is LockBit? How it Evolved and Operates
- Monero: The Coin of the Realm
- Patch or Mitigate Now: Critical CVEs Exploited by LockBit
- Beyond Traditional Endpoints: Other Compromised Systems
- Initial Access and Deployment
- Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Bleepingcomputer
Veeam warns of critical RCE bug in Service Provider Console
blogs_bleepingcomputer·2024-12-03·CVSS 9.8
[CRITICAL] Veeam warns of critical RCE bug in Service Provider Console
## Veeam warns of critical RCE bug in Service Provider Console
## Sergiu Gatlan
Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing.
VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads.
The first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine.
Veeam also
Bleepingcomputer
Critical Veeam RCE bug now used in Frag ransomware attacks
blogs_bleepingcomputer·2024-11-08·CVSS 9.8
CVE-2024-40711 [CRITICAL] Critical Veeam RCE bug now used in Frag ransomware attacks
## Critical Veeam RCE bug now used in Frag ransomware attacks
## Sergiu Gatlan
After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.
Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers.
watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4.
Code White also delayed sharing more details wh
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
## Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to mo
Talos
Akira ransomware continues to evolve
blogs_talos·2024-10-21
Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.
Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.
Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due
Bleepingcomputer
Akira and Fog ransomware now exploit critical Veeam RCE flaw
blogs_bleepingcomputer·2024-10-10·CVSS 9.8
CVE-2024-40711 [CRITICAL] Akira and Fog ransomware now exploit critical Veeam RCE flaw
## Akira and Fog ransomware now exploit critical Veeam RCE flaw
## Sergiu Gatlan
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
Code White security researcher Florian Hauser found that the security flaw, now tracked as CVE-2024-40711, is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit in low-complexity attacks.
Veeam disclosed the vulnerability and released security updates on September 4, while watchTowr Labs published a technical analysis on September 9. However, watchTowr Labs delayed publishing proof-of-concept exploit code until September 15 to give admins enough time to secure their servers.
The delay w
Checkpoint
9th September – Threat Intelligence Report
blogs_checkpoint·2024-09-09
CVE-2024-32896 9th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 9th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The German air traffic control agency, Deutsche Flugsicherung, has confirmed a cyberattack that impacted its administrative IT infrastructure. The extent of data accessed is still under investigation, and flight operations remained unaffected. No threat actor has claimed responsibility yet, though the attack is suspecte
Bleepingcomputer
Veeam warns of critical RCE flaw in Backup & Replication software
blogs_bleepingcomputer·2024-09-05·CVSS 8.8
CVE-2024-40711 [HIGH] Veeam warns of critical RCE flaw in Backup & Replication software
## Veeam warns of critical RCE flaw in Backup & Replication software
## Bill Toulas
Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
The most severe of the problems addressed is CVE-2024-40711 , a critical (CVSS v3.1 score: 9.8) remote code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that can be exploited without authentication.
VBR is used to manage and secure backup infrastructure for enterprises, so it plays a critical role in data protection. As it can serve as a pivot point for lateral movement, it is considered a high-value target for ransomware operators.
Ransomware actors t
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-09-07
Published
2024-10-17
Added to CISA KEV
Exploited in the wild