Veeam reveals critical security bug in Backup Enterprise Manager tool

Veeam BaaS och DRaaS illustrerat
Krönika av Victor Engelbrecht Dohlmann på Veeam (Image credit: Veeam)

Veeam has discovered, and fixed, a critical-severity vulnerability in its Veeam Backup Enterprise Manager (VBEM) tool.

The vulnerability, tracked as CVE-2024-29849 (via BleepingComputer) is described as an authentication bypass flaw, allowing pretty much anyone to sign into any account on the platform. It carries a security score of 9.8, deeming it “critical”.

VBEM is a centralized management and monitoring tool for Veeam Backup & Replication environments. It is designed for large-scale, or enterprise-level deployments, and provides a unified interface where admins can manage, monitor, and control backup operations across multiple Veeam Backup & Replication servers.

Patching more flaws

It’s also worth mentioning that VBEM is not turned on by default, and not all companies using it are vulnerable. Still, everyone is advised to apply the patch as soon as possible. 

Those that cannot do that immediately, are advised to disable the VeeamEnterpriseManagerSvc and VeeamRESTSvc services. Completely uninstalling Veeam Backup Enterprise Manager is also a viable option. More details can be found on the relevant help page on the company's website.

The first version unaffected by the bug is VBEM 12.1.2.172, as confirmed by the company . 

In its latest security advisory, Veeam also said it patched two additional VBEM flaws, one which allowed for account takeover via NTLM relay (tracked as CVE-2024-29850), and one that enables high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash (in scenarios where it's not configured to run as the default Local System account). This one's tracked as CVE-2024-29851.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Security
Broadcom releases fixes for multiple VMware security flaws
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa Devices, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA