...
BugZero found this defect 46 days ago.
CVE-2024-40715 This vulnerability in Veeam Backup Enterprise Manager allows attackers to bypass the authentication while performing a Man-in-the-Middle (MITM) attack. Severity: HighCVSS v3.1 Score: 7.7AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L This vulnerability was reported by ZDI through Hacker One.
The vulnerability documented in this article was resolved with a hotfix for Veeam Backup Enterprise Manager 12.2.0.334. This hotfix is available directly via this article and was integrated into repackaged ISOs for Veeam Backup & Replication and Veeam Data Platform released on 2024-11-06. For environments where Veeam Backup Enterprise Manager 12.2.0.334 is already installed, download the hotfix from the Download Information section below. For environments where Veeam Backup Enterprise Manager 12.1.2.172 or older is installed, please upgrade to 12.2.0.334 using the latest Veeam Backup & Replication ISO.
Download Hotfix Filename: veeam_backup_12.2.0.334_PrivateFix_TF812030.zip MD5: AEE65885214721E5757B8B05397590FB SHA1: 7EFD3B89185CCB4230628A0CCA4ACE3D5BE5CD51
Version Requirement The hotfix requires the existing Veeam Backup Enterprise Manager deployment to be running 12.2.0.334. You can check which version of Veeam Backup Enterprise Manager is installed by viewing the About section of the Configuration view. If an earlier version of Veeam Backup Enterprise Manager (12.1.2.172 or older) is deployed, upgrade to 12.2.0.334 using the latest Veeam Backup & Replication ISO, which contains the hotfix and will automatically deploy it.
As this is a hotfix, the build number of the software will not be changed. Therefore, validating that the hotfix has been deployed requires checking the hash value of the file present on the system and comparing it to the known hash value of the file included in the hotfix.