Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication protections.

Tracked as CVE-2024-29849 (CVSS score: 9.8), the vulnerability could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.

The company has also disclosed three other shortcomings impacting the same product –

  • CVE-2024-29850 (CVSS score: 8.8), which allows account takeover via NTLM relay
  • CVE-2024-29851 (CVSS score: 7.2), which allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it’s not configured to run as the default Local System account
  • CVE-2024-29852 (CVSS score: 2.7), which allows a privileged user to read backup session logs

All the flaws have been addressed in version 12.1.2.172. However, Veeam noted that deploying Veeam Backup Enterprise Manager is optional and that environments that do not have it installed are not impacted by the flaws.

In recent weeks, the company has also resolved a local privilege escalation flaw affecting the Veeam Agent for Windows (CVE-2024-29853, CVSS score: 7.2) and a critical remote code execution bug impacting Veeam Service Provider Console (CVE-2024-29212, CVSS score: 9.9).

“Due to an unsafe deserialization method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine,” Veeam said of CVE-2024-29212.

Security flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have been exploited by threat actors like FIN7 and Cuba for deploying malicious payloads, including ransomware, making it imperative that users move quickly to patch the aforementioned vulnerabilities.