30. 06. 2024
SOCnews
On May 21, Veeam published details about four different vulnerabilities detected in their product Veeam Backup Enterprise Manager (VBEM). One of them is critical and allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
| CVE Number | CVSS Score | EPSS Score |
| CVE-2024-29849 | 9.8 (Critical) | 0.04% (Low) |
| CVE-2024-29850 | 8.8 (High) | 0.04% (Low) |
| CVE-2024-29851 | 7.2 (High) | 0.04% (Low) |
| CVE-2024-29852 | 2.7 (Low) | 0.04% (Low) |
The EPSS associated with the vulnerabilities is very low at the time of writing this post (24/05/24) because the discoveries are new and not yet exploited, but might increase in the following weeks. At the moment there is no evidence of an exploit available in the wild.
The VBEM application is used to manage Veeam Backup & Replication (VBR) installations from a single console, but its use is optional and not all environments have it installed. Therefore, the attack surface is small.
A quick search on Shodan returns “only” 63 exposed instances of VBEM that may be vulnerable if not patched. Most of them are located in the US.
Veeam fixed all these vulnerabilities in the Veeam Backup Enterprise Manager 12.1.2.172 version. If an update is not possible, network administrators can mitigate the threat by halting the Veeam Backup Enterprise Manager software. To do so it’s sufficient to stop and disable the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services.
We recommend that everyone using VBEM apply the patch as soon as possible.
Mirko Ioris
Technical Consultant - Cyber Security Team | Würth Phoenix
Author
