Veeam reveals critical security bug in Backup Enterprise Manager tool

Veeam BaaS och DRaaS illustrerat
Krönika av Victor Engelbrecht Dohlmann på Veeam (Image credit: Veeam)

Veeam has discovered, and fixed, a critical-severity vulnerability in its Veeam Backup Enterprise Manager (VBEM) tool.

The vulnerability, tracked as CVE-2024-29849 (via BleepingComputer) is described as an authentication bypass flaw, allowing pretty much anyone to sign into any account on the platform. It carries a security score of 9.8, deeming it “critical”.

VBEM is a centralized management and monitoring tool for Veeam Backup & Replication environments. It is designed for large-scale, or enterprise-level deployments, and provides a unified interface where admins can manage, monitor, and control backup operations across multiple Veeam Backup & Replication servers.

Patching more flaws

It’s also worth mentioning that VBEM is not turned on by default, and not all companies using it are vulnerable. Still, everyone is advised to apply the patch as soon as possible. 

Those that cannot do that immediately, are advised to disable the VeeamEnterpriseManagerSvc and VeeamRESTSvc services. Completely uninstalling Veeam Backup Enterprise Manager is also a viable option. More details can be found on the relevant help page on the company's website.

The first version unaffected by the bug is VBEM 12.1.2.172, as confirmed by the company . 

In its latest security advisory, Veeam also said it patched two additional VBEM flaws, one which allowed for account takeover via NTLM relay (tracked as CVE-2024-29850), and one that enables high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash (in scenarios where it's not configured to run as the default Local System account). This one's tracked as CVE-2024-29851.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.