CVE-2024-40711
Published: 07 September 2024
Summary
CVE-2024-40711 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
Deeper analysis
A deserialization of untrusted data vulnerability (CWE-502) affects Veeam Backup software and permits unauthenticated remote code execution when a malicious payload is processed. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can submit a crafted serialized object to the affected service, triggering arbitrary code execution on the target system. Successful exploitation grants the attacker the ability to run commands, deploy additional payloads, or establish persistent access without prior credentials.
Veeam’s advisory KB4649 and subsequent patches address the issue through updated deserialization handling and input validation. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The EPSS score rose sharply from low values after disclosure to a peak of 0.9680 on 2024-12-15 before receding to the current 0.7046, indicating sustained attacker interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38578
Vulnerability details
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
- CWE(s)
- KEV Date Added
- 17 October 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.