Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?
Veeam Users Urged to Update Immediately After Massive Security Flaw Discovery
Users of Veeam Backup Enterprise Manager, beware! A critical security flaw (CVE-2024-29849) could let attackers bypass authentication and log in as any user. With a CVSS score of 9.8, it’s no joke. Update to the latest version to stay safe!
Hot Take:
Looks like Veeam is playing whack-a-mole with vulnerabilities again! If Veeam was a car, it’d be in the shop more often than on the road. Make sure you update before the hackers turn your backups into backfires!
Key Points:
- Critical flaw CVE-2024-29849 allows attackers to bypass authentication (CVSS score: 9.8).
- Three other vulnerabilities (CVE-2024-29850, CVE-2024-29851, CVE-2024-29852) also affect Veeam Backup Enterprise Manager.
- All issues are patched in version 12.1.2.172.
- Other Veeam products, including Veeam Agent for Windows and Veeam Service Provider Console, have also received critical updates.
- Veeam Backup & Replication software has been previously exploited by threat actors like FIN7 and Cuba.
Patch Your Backups or Get Whacked
Alright folks, if you’ve been napping on your updates, it’s time to wake up and smell the vulnerability coffee. Veeam’s latest issue, CVE-2024-29849, could let a sneaky attacker waltz right into your backup manager like they own the place. With a CVSS score of 9.8, this bug’s practically screaming for attention. And if that’s not enough to get your pulse racing, just think about how nice it would be to keep your data safe from cyber villains.
More Flaws Than a Reality TV Show
But wait, there’s more! Veeam didn’t stop at just one security hiccup. They’ve disclosed three additional flaws in the same product. First, there’s CVE-2024-29850, with a CVSS score of 8.8, which allows account takeover via NTLM relay. Next, CVE-2024-29851 (CVSS score: 7.2) lets a privileged user steal NTLM hashes if the service account isn’t configured correctly. And last but certainly not least, CVE-2024-29852 (CVSS score: 2.7) allows reading backup session logs. It’s like a buffet of vulnerabilities—there’s something for everyone!
Update or Face the Music
Thankfully, all these flaws have been patched in version 12.1.2.172. But remember, deploying Veeam Backup Enterprise Manager is optional. So, if you’re not using it, you’re in the clear. But if you are, you better get patching faster than a caffeine-fueled coder on a deadline. Because the only thing worse than a data breach is knowing you could have prevented it with a simple update.
Not Just One Product, But Many
Veeam’s woes don’t end with Backup Enterprise Manager. Recently, they’ve patched a local privilege escalation flaw in Veeam Agent for Windows (CVE-2024-29853, CVSS score: 7.2) and a critical remote code execution bug in Veeam Service Provider Console (CVE-2024-29212, CVSS score: 9.9). According to Veeam, the latter issue is due to an unsafe deserialization method, which sounds like a fancy way of saying “Oops, we left the backdoor wide open.”
Lessons from the Past
If history has taught us anything, it’s that Veeam software is a hot target for cybercriminals. Just ask the folks at FIN7 and Cuba, who’ve exploited previous flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) to deploy all sorts of nasty payloads, including ransomware. So, unless you want to end up as the next cautionary tale, it’s time to patch those systems and keep your backups from becoming a hacker’s playground.
Already a member? Log in here