Critical Veeam Vulnerability Leads to Authentication Bypass

Veeam Backup Enterprise Manager update resolves multiple vulnerabilities, including a critical authentication bypass.

Veeam on Tuesday rolled out a Backup & Replication update to address four vulnerabilities, including a critical-severity Backup Enterprise Manager bug leading to authentication bypass.

The critical flaw, tracked as CVE-2024-29849 (CVSS score of 9.8), “allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user,” Veeam explains in an advisory.

According to Veeam, the security defect impacts Backup & Replication product versions 5.0 to 12.1 and was addressed with the release of Backup Enterprise Manager version 12.1.2.172, which is packaged with Backup & Replication version 12.1.2 (build 12.1.2.172).

The release also resolves a high-severity issue allowing attackers to take over accounts via NTLM relay attacks. The vulnerability is tracked as CVE-2024-29850 (CVSS score of 8.8).

CVE-2024-29851 (CVSS ...