Vulnerabilities > CVE-2024-40717 - Unspecified vulnerability in Veeam Backup & Replication

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

veeam

NVD

Published: 2024-12-04

Updated: 2025-04-24

Summary

A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server.

Vulnerable Configurations

Part	Description	Count
Application	Veeam Veeam Veeam Backup & Replication 12.0.0.1420 Veeam Veeam Backup & Replication 12.1.0.2131 Veeam Veeam Backup & Replication 12.1.1.56 Veeam Veeam Backup & Replication 12.1.2.172 Veeam Veeam Backup & Replication 12.2.0.334	5

References

https://www.veeam.com/kb4693