CVE-2024-40711 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Veeam Backup and Replication Deserialization Vulnerability

Exploit added

October 17, 2024

Action due

November 7, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

CWE-ID	CWE Name
CWE-502	Deserialization of Untrusted Data

cpe:2.3:a:veeam:veeam_backup_&_replication:10.0.0.4442:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:10.0.0.4461:-::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:10.0.0.4461:p1::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:10.0.0.4461:p2::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:10.0.1.4848:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.825:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:-::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:p20210319::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:p20210324::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:p20210401::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:p20210507::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:p20210525::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:12.0.0.1420:-::::::
cpe:2.3:a:veeam:veeam_backup_&_replication:5.0.2.230:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:8.0.0.2030:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:9.5.0.1536:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:9.5.4.2615:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0.0.837:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:11.0:::::::*
cpe:2.3:a:veeam:veeam_backup_&_replication:10.0:::::::*

Source:
NVD

Published:
September 7, 2024

Updated:
October 18, 2024

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Not defined