Skip to main content

Critical Veeam CVE actively exploited in ransomware attacks

-

 

 

Multiple ransomware groups targeted the vulnerability, which has a CVSS score of 9.8, more than a month after it was disclosed and patched by the data backup and recovery vendor.

Published Oct. 22, 2024
Data privacy
DKosig via Getty Images

Dive Brief:

  • Threat groups are actively exploiting a critical vulnerability in Veeam Backup and Replication for ransomware attacks, researchers and federal cyber authorities said. Veeam disclosed the vulnerability, which has a CVSS score of 9.8, in a Sept. 4 security bulletin along with five other vulnerabilities in the enterprise backup software.
  • The Cybersecurity and Infrastructure Security Agency added CVE-2024-40711 to its known exploited vulnerabilities catalog on Thursday and said it’s known to be used in ransomware attacks. The deserialization vulnerability allows an unauthenticated attacker to perform remote code execution.
  • Researchers at Sophos X-Ops tracked at least four ransomware attacks involving CVE-2024-40711 exploits earlier this month. The cybersecurity vendor’s threat response team said it observed attacks linked to Akira and Fog ransomware variants. “In each of the cases, attackers initially access targets using compromised VPN gateways without multifactor authentication enabled,” Sophos X-Ops said in an Oct. 11 post on social platform X.

Exploits and ransomware attacks linked to CVE-2024-40711 follow a common sequence, underscoring the sustained exposure and longtail impact of software vulnerabilities.

Veeam patched the vulnerability in a software update, Veeam Backup and Replication v12.2, on Aug. 28, version 12.2, Heidi Monroe Kroft, senior director of corporate communications and global public relations at Veeam, said via email Monday. “This was directly communicated to all impacted Veeam customers.”

Vulnerability researchers from Censys and Rapid7 sounded the alarm after the critical software defect in the popular enterprise product was patched and disclosed. Partial proof-of-concept exploit code was released within days of the public CVE disclosure.

Sophos X-Ops began tracking active exploits involving ransomware more than a month after Veeam resolved the vulnerability in a software update. CVE-2024-40711 affects Veeam Backup and Replication version 12.1.2.172 and prior version 12 builds.

The application is used by enterprises to backup, replicate and restore virtual, physical and cloud machines.

“As a result of its popularity, it’s also a prime target for adversaries, including ransomware groups,” Caitlin Condon, director of vulnerability intelligence at Rapid7, said Monday via email. “More than 20% of Rapid7 incident response cases in 2024 have involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.”

Threat groups exploited previous Veeam Backup and Replication vulnerabilities months after disclosure, and almost a year later in one case, Condon said.

Veeam declined to say how many customers have patched or been impacted by the vulnerability.

Himaja Motheram, security researcher at Censys, said the number of exposed Veeam Backup and Replication servers has remained fairly consistent since the CVE was disclosed, dropping from 2,833 exposed instances on Sept. 6 to 2,784 exposed hosts as of Monday.

The exposed instances are mostly concentrated in Europe, according to Censys. The digital arm of the U.K.’s National Health Service issued a cybersecurity alert about active exploitation of CVE-2024-40711 on Oct. 11.

 

Reference

Cybersecurity Dive. (2025). Critical Veeam CVE actively exploited in ransomware attacks.

 https://cybersecuritydive.blogspot.com/2025/04/critical-veeam-cve-actively-exploited.html

Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

New Diicot Threat Group Targets SSH Servers with Brute-Force Malware

-
Image
  Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Researchers from Cado Labs reported that an emerging Romanian threat actor called Diicot is utilizing unique TTPs (Tactics, Techniques, and Procedures) and an interesting attack pattern to target victims. The researchers noted that the group has been using brute-force malware whose payloads have neither been publicly reported nor appeared in common repositories. About Diicot Threat Group Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Previous research by Akamai and Bitdefender reveals ...
Read more