CVE-2024-40710

A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.veeam.com/kb4649	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*

History

01 May 2025, 18:13

Type	Values Removed	Values Added
CPE		cpe:2.3:a:veeam:veeam_backup_\&_replication::::::::
References	~~() https://www.veeam.com/kb4649 -~~	() https://www.veeam.com/kb4649 - Vendor Advisory
First Time		Veeam Veeam veeam Backup \& Replication

09 Sep 2024, 17:35

Type	Values Removed	Values Added
CWE		CWE-522

09 Sep 2024, 13:03

Type	Values Removed	Values Added
Summary		(es) Una serie de vulnerabilidades relacionadas de alta gravedad, la más notable de las cuales permite la ejecución remota de código (RCE) como cuenta de servicio y la extracción de información confidencial (credenciales y contraseñas guardadas). Para explotar estas vulnerabilidades se requiere un usuario al que se le haya asignado un rol con pocos privilegios dentro de Veeam Backup & Replication.

07 Sep 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-07 17:15

Updated : 2025-05-01 18:13

NVD link : CVE-2024-40710

Mitre link : CVE-2024-40710

CVE.ORG link : CVE-2024-40710

JSON object : View

Products Affected

veeam

veeam_backup_\&_replication

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2024-40710", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-09-07T17:15:13.110", "references": [{"url": "https://www.veeam.com/kb4649", "tags": ["Vendor Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication."}, {"lang": "es", "value": "Una serie de vulnerabilidades relacionadas de alta gravedad, la m\u00e1s notable de las cuales permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) como cuenta de servicio y la extracci\u00f3n de informaci\u00f3n confidencial (credenciales y contrase\u00f1as guardadas). Para explotar estas vulnerabilidades se requiere un usuario al que se le haya asignado un rol con pocos privilegios dentro de Veeam Backup & Replication."}], "lastModified": "2025-05-01T18:13:16.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "558CF39E-DE64-41D4-A99E-74BCA1490CDB", "versionEndExcluding": "12.2.0.334"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}