--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Veeam' number: '2024-092' version: '1.0' original_date: 'September 5, 2024' date: 'September 6, 2024' --- _History:_ * _06/09/2024 --- v1.0 -- Initial publication_ # Summary On September 5, 2024, Veeam disclosed a critical remote code execution (RCE) vulnerability tracked as **CVE-2024-40711**, affecting Veeam Backup & Replication (VBR) [1]. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems (CVSS score: 9.8). VBR is a target for ransomware attacks, as it plays a key role in enterprise data protection. Users are advised to update to version 12.2.0.334 as soon as possible. # Technical Details The vulnerability tracked as **CVE-2024-40711** enables remote, unauthenticated code execution on vulnerable VBR systems, potentially leading to lateral movement and full infrastructure compromise. # Affected Products - Veeam Backup & Replication versions 12.1.2.172 and earlier. # Recommendations CERT-EU recommends updating to VBR version 12.2.0.334 as soon as possible. # References [1]