Veeam has patched a critical vulnerability that could allow an unauthenticated attacker access to the Veeam Backup Enterprise Manager (VBEM) web console.
The vulnerability tracked as CVE-2024-29849 with a CVSS score of 9.8, allows an unauthenticated attacker to log in to the VBEM web interface as any user.
VBEM is an optional, supplementary application that is not installed by default, Veeam’s security advisory noted. The application gives customers access to a web console to remotely manage multiple Veeam backup & and replication instances.
Customers should update their backup and replication instances to version 12.1.2.172 to resolve the issues.For users who cannot immediately patch, Veeam recommended halting use of VBEM by stopping and disabling the services VeeamEnterpriseManagerSvc and the Veeam RESTful API Service, or VeeamRESTSvc. Users should not disable the separate Veeam Backup Server RESTful API Service, the advisory stated.
The updated VBEM application is compatible with older versions of the main Backup & Replication software, and thus VBEM can be updated to 12.1.2.172 without the need to update the main software if VBEM is installed on a dedicated server.
The other two high-severity VBEM vulnerabilities patched in the latest update are tracked as CVE-2024-29850, an account takeoverl via NTLM rely and CVE-2024-29851 allows stelaing NTLM hash of the VBEM service accountt, f the service account is not a default Local System account, according to the advisory.
