Vulnerability Details : CVE-2024-40711
Potential exploit
Used for ransomware!
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Vulnerability category: Execute code
Products affected by CVE-2024-40711
- Veeam » Veeam Backup & ReplicationVersions from including (>=) 12 and up to, including, (<=) 12.1.2.172cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
- Veeam » Veeam Backup & ReplicationVersions from including (>=) 12.0.0.1420 and before (<) 12.2.0.334cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
CVE-2024-40711 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Veeam Backup and Replication Deserialization Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
Notes:
https://www.veeam.com/kb4649 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40711
Added on
2024-10-17
Action due date
2024-11-07
Exploit prediction scoring system (EPSS) score for CVE-2024-40711
47.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-40711
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
HackerOne | 2024-09-07 |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
HackerOne | 2024-09-07 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-10-18 |
CWE ids for CVE-2024-40711
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2024-40711
-
https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
Exploit;Third Party Advisory
-
https://www.veeam.com/kb4649
KB4649: Veeam Security Bulletin (September 2024)Vendor Advisory
Jump to