A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
The vulnerability classified as CWE-284 (Improper Access Control) indicates improper access control that allows an attacker — possessing only credentials of a regular domain user — to execute arbitrary code on the Backup Server. The attack is possible remotely over the network without requiring user interaction or administrative privileges. The network vector (AV:N) and lack of complex configuration requirements (AC:L) make the vulnerability easy to exploit.
An attacker can gain full control over the Backup Server, obtaining confidentiality, integrity, and availability of stored data (rating C:H/I:H/A:H), which in practice means the ability to delete or modify backups, as well as perform further lateral movement in the organization's network.
Apply patches available from the vendor according to the references: https://www.veeam.com/kb4830. Additionally, until the fix is implemented, it is recommended to restrict network access to the Backup Server only to trusted hosts and monitor unauthorized authentication attempts.
Veeam Backup & Replication — versions indicated in the vendor references (https://www.veeam.com/kb4830)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HVeeam Backup \& Replication
APPVeeam12.0.0.1402 – 12.3.2.4465 (bez)
Related vulnerabilities
Krytyczne RCE przez deserialization w Veeam Backup & Replication
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
RCE w Veeam Backup & Replication dla uwierzytelnionych użytkowników domenowych
RCE w Veeam Backup & Replication dla uwierzytelnionego użytkownika domenowego
RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)