Cyber Resilience

CVE-2024-40711

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 07 September 2024

Published
07 September 2024
Modified
30 October 2025
KEV Added
17 October 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7046 98.7th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40711 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

Deeper analysis

A deserialization of untrusted data vulnerability (CWE-502) affects Veeam Backup software and permits unauthenticated remote code execution when a malicious payload is processed. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can submit a crafted serialized object to the affected service, triggering arbitrary code execution on the target system. Successful exploitation grants the attacker the ability to run commands, deploy additional payloads, or establish persistent access without prior credentials.

Veeam’s advisory KB4649 and subsequent patches address the issue through updated deserialization handling and input validation. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The EPSS score rose sharply from low values after disclosure to a peak of 0.9680 on 2024-12-15 before receding to the current 0.7046, indicating sustained attacker interest following public release.

EU & UK References

Vulnerability details

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

CWE(s)
KEV Date Added
17 October 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

veeam
veeam backup \& replication
12.0.0.1420 — 12.2.0.334

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References