A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
The vulnerability results from insufficient access control (CWE-284) in the Backup Server component. An authenticated domain user — without the need to have administrative privileges — can send a specially crafted network request to the server, which leads to arbitrary code execution. The vulnerability operates within changed scope (Scope: Changed), which means the ability to impact resources beyond the directly vulnerable component.
An attacker can take full control of the backup server, gaining access to stored backup data, credentials, and infrastructure protected by Veeam. As a result, breach of confidentiality, integrity and availability of the system is possible, as well as potential lateral movement in the production environment.
Patches available from the vendor should be applied in accordance with references published at https://www.veeam.com/kb4830. Until the patch is deployed, it is recommended to restrict network access to the Backup Server exclusively to trusted hosts and audit domain accounts that have access to the Veeam environment.
Veeam Backup & Replication — versions indicated in vendor references (https://www.veeam.com/kb4830)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HVeeam Backup \& Replication
APPVeeam12.0.0.1402 – 12.3.2.4465 (bez)
Related vulnerabilities
Krytyczne RCE przez deserialization w Veeam Backup & Replication
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
RCE w Veeam Backup & Replication dla uwierzytelnionych użytkowników domenowych
RCE dla uwierzytelnionego użytkownika domenowego w Veeam Backup & Replication
RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)