CVE-2024-40717
Published: 04 December 2024
Summary
CVE-2024-40717 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-40717 is a vulnerability in Veeam Backup & Replication that stems from insufficient access controls around job configuration. A low-privileged user holding certain roles can modify existing backup jobs to reference pre- and post-processing scripts stored on a network share; these scripts execute with elevated privileges by default, enabling remote code execution on the server.
An attacker with the requisite role can update a job and schedule it to run nearly immediately, achieving arbitrary code execution without needing additional credentials or user interaction. The issue is tracked under CWE-306 and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
The vendor has published guidance addressing the flaw at https://www.veeam.com/kb4693. The associated EPSS score reached a peak of 0.0588 before receding to its current value of 0.0419, indicating limited sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38805
Vulnerability details
A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a…
more
network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.