Veeam has released an update for its Backup & Replication software, addressing four vulnerabilities, including a critical-severity flaw (CVE-2024-29849, CVSS score 9.8) that allows unauthenticated attackers to log in to the Backup Enterprise Manager web interface as any user. The issue affects product versions 5.0 to 12.1 and is resolved in version 12.1.2.172. The update also fixes a high-severity NTLM relay attack vulnerability (CVE-2024-29850, CVSS score 8.8), another high-severity bug (CVE-2024-29851, CVSS score 7.2) allowing privileged users to steal NTLM hashes, and a low-severity flaw permitting high-privileged users to read backup session logs. Additionally, a high-severity privilege escalation bug (CVE-2024-29853) in Veeam Agent for Windows has been patched in version 6.1.2. Veeam advises users to update their installations promptly, despite no current exploitation reports, due to the historical targeting of Veeam vulnerabilities by threat actors.
Read more: https://www.securityweek.com/critical-veeam-vulnerability-leads-to-authentication-bypass/