Introduction
NHS England has issued a high-severity Cyber Alert concerning a critical vulnerability in Veeam Backup & Replication software, identified as CVE-2024-40711 [2] [3] [5]. This vulnerability poses significant security risks, including unauthenticated remote code execution [1] [2] [5] [6], and is actively being exploited by multiple ransomware groups. Immediate action is required to mitigate these threats.
Description
NHS England has issued a high-severity Cyber Alert regarding a critical vulnerability in Veeam Backup & Replication, tracked as CVE-2024-40711 [2] [3] [5], which has a CVSS score of 9.8 [3]. This vulnerability, classified as a ‘deserialization of untrusted data’ issue [6], allows for unauthenticated remote code execution (RCE) [1] [2] [5] [6], enabling attackers to execute code on a remote device without physical access [3]. It affects all versions of Veeam Backup & Replication up to and including version 12.1.2.172 [4], with unsupported product versions likely also being vulnerable [3]. Veeam has made security updates available since early September 2024 to address this critical flaw.
Cybersecurity researcher Florian Hauser from CODE WHITE GmbH reported that this vulnerability is currently being actively exploited by multiple ransomware groups, including Fog [2] [4] [5], Akira [1] [4] [5] [7], Black Basta [4], Conti [4], Cuba [4], Egregor [4], Maze [4], Monti [4], REvil [4], and Royal [4]. Sophos X-Ops Managed Detection and Response (MDR) teams have observed numerous attacks leveraging this vulnerability [2], particularly targeting VPN gateways that lack multifactor authentication and run outdated software versions [2]. Attackers have been known to gain access through stolen credentials and exploit the Veeam vulnerability by invoking the Veeam.Backup.MountService.exe on a specific URI, allowing them to create unauthorized local Administrator accounts [6]. They have been observed utilizing the Veeam URI /trigger on port 8000 to execute net.exe and add a local account named “point” to the local Administrators and Remote Desktop Users groups.
The National Cybersecurity Operations Centre has assessed that the exploitation of CVE-2024-40711 is highly likely to persist [3]. Affected organizations are urged to review the Veeam Security Bulletin (September 2024) KB4649 and urgently update to version 12.2.0.334 or above [3] [6]. Veeam strongly recommends that all users update their Backup & Replication software to the latest version to mitigate risks [4], as unpatched vulnerabilities pose severe threats [4], including the potential for attackers to encrypt or delete critical backup data [4], compromise systems for further exploitation [4], and lead to data breaches [4], reputational damage [4], and costly downtime [4]. To enhance security [1] [2], it is crucial for users to implement multifactor authentication alongside patching this vulnerability. The situation underscores the critical need for organizations to prioritize patching known vulnerabilities [2], updating unsupported software [2], and safeguarding against these threats. Veeam Backup & Replication is a data protection solution that provides backup and recovery for various environments [3], including virtual [3] [4] [5], physical [3], network-attached storage [3], and cloud-native systems [3]. A technical analysis of the vulnerability was published by WatchLabs on September 9, 2024, further detailing the risks associated with this critical flaw.
Conclusion
The CVE-2024-40711 vulnerability in Veeam Backup & Replication represents a significant threat to cybersecurity, with active exploitation by ransomware groups [3] [6]. Organizations must urgently apply the available security updates and implement multifactor authentication to mitigate these risks. The ongoing exploitation of this vulnerability highlights the importance of timely software updates and robust security practices to protect against potential data breaches, system compromises, and associated damages.
References
[1] https://thenimblenerd.com/article/ransomware-chaos-veeam-flaw-cve-2024-40711-under-siege/
[2] https://cybermaterial.com/veeam-rce-vulnerability-exploited-by-hackers/
[3] https://www.infosecurity-magazine.com/news/nhs-england-warns-cve-active/
[4] https://www.ybs.us/2024/10/security-alert-vulnerability-in-veeam-backup-replication/
[5] https://securityaffairs.com/169679/cyber-crime/ransomware-groups-exploit-veeam-backup-replication-bug.html
[6] https://digital.nhs.uk/cyber-alerts/2024/cc-4563
[7] https://www.borncity.com/blog/2024/10/11/ransomware-gruppen-akira-und-fog-zielen-auf-ungepatchte-veeam-rce-schwachstelle/