Veeam, has recently addressed a critical vulnerability resides within its Recovery Orchestrator (VRO) software. This vulnerability could grant unauthorized attackers’ administrative access to the VRO web user interface (UI).
The vulnerability tracked as CVE-2024-29855 was discovered in VRO version 7.0.0.337. This flaw allows an attacker to gain access to the VRO web UI with administrative privileges. However, the exploitation of this vulnerability requires the attacker to possess specific knowledge—the exact username and role of an account with an active VRO UI access token.
Importantly, this vulnerability does not affect other Veeam products such as Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE, or the Veeam Service Provider Console. The isolated nature of this flaw underscores the importance of regular updates and vigilance in managing DR software.
Veeam has acted swiftly to address this security issue. The vulnerability has been resolved in the following versions of VRO:
- Veeam Recovery Orchestrator 7.1.0.230
- Veeam Recovery Orchestrator 7.0.0.379
Users of Veeam Recovery Orchestrator are strongly encouraged to update to these versions immediately to mitigate any potential risks associated with CVE-2024-29855.
