CVE-2024-40711

What is Veeam Backup & Replication?

Veeam Backup & Replication is the dominant enterprise backup and disaster recovery platform, protecting virtual machines (VMware vSphere, Microsoft Hyper-V), physical servers, cloud workloads (AWS, Azure, GCP), and Microsoft 365 data. Veeam is deployed in the vast majority of Fortune 500 companies and is particularly widespread in VMware-heavy environments. Its backup servers are a critical infrastructure target for ransomware operators for two reasons: (1) compromising the backup server enables attackers to delete or encrypt backup data, destroying the victim's recovery capability; and (2) Veeam backup servers have trusted access to all protected systems, providing credentials and network paths that enable lateral movement. Ransomware groups specifically target Veeam to cripple recovery options.

Overview

CVE-2024-40711 is a deserialization of untrusted data vulnerability (CWE-502) in Veeam Backup & Replication that allows an unauthenticated remote attacker to execute arbitrary code on the Veeam server. The deserialization occurs in the Veeam management service's .NET remoting endpoint. Veeam patched the vulnerability on September 4, 2024 and published the CVE on September 7, but ransomware groups quickly weaponized it — CISA added it to the KEV catalog on October 17, 2024, confirming exploitation by Fog and Akira ransomware affiliates among others.

Affected Versions

Technical Details

The deserialization vulnerability (CWE-502) is in the Veeam .NET remoting service (TCP port 9401 by default) — the management communication channel used by the Veeam Backup & Replication console and agent components. The service deserializes objects sent by clients without adequate validation of the object type or payload integrity. An attacker can send a crafted serialized object that, when deserialized by the server, executes arbitrary code in the context of the Veeam service account — typically NT AUTHORITY\SYSTEM or a domain service account with broad privileges.

No authentication required: The deserialization vulnerability is reached before any authentication check, making it exploitable from any network position that can reach TCP 9401 on the Veeam server.

Post-exploitation path in ransomware attacks:

1. Exploit CVE-2024-40711 to gain SYSTEM on the Veeam Backup server
2. Access Veeam's credential store (VeeamVBR SQL database) to extract credentials for all protected systems
3. Use extracted credentials to move laterally to domain controllers and file servers
4. Delete/encrypt Veeam backup files and disable backup jobs (destroying recovery options)
5. Deploy ransomware to all accessible systems

Discovery

The vulnerability was responsibly disclosed to Veeam. Code White GmbH has been credited with related Veeam vulnerability research in this period, though specific attribution for CVE-2024-40711 was not publicly detailed at time of publication.

Exploitation Context

Sophos and other incident responders documented ransomware actors exploiting CVE-2024-40711 in October 2024, confirming what CISA validated for the KEV listing. Multiple ransomware groups exploited the vulnerability:

• Fog ransomware: Targeted organizations, using the Veeam compromise to destroy backups before deploying their encryptor
• Akira ransomware: Used CVE-2024-40711 as part of their standard intrusion playbook against enterprise networks with Veeam

In several documented attacks, the ransomware actors also leveraged compromised VPN credentials (including from CVE-2024-40766 SonicWall campaigns) alongside the Veeam exploit, rapidly progressing from initial access to full ransomware deployment within hours.

Remediation

1. Upgrade to Veeam Backup & Replication 12.1.2.172 or later immediately. The CISA deadline was November 7, 2024.
2. Isolate the Veeam management network — TCP port 9401 (and the Veeam console ports 9392–9395) should only be accessible from authorized backup administrator workstations, not from the general enterprise network.
3. Enable Veeam's immutable backup repositories (hardened repositories on Linux or object storage with immutability) — even if an attacker accesses the Veeam server, immutable backups cannot be deleted or encrypted.
4. Audit the Veeam credential database for signs of unauthorized access — the Veeam configuration database stores credentials for all protected systems.
5. Review Veeam job logs and backup file integrity for deletions or modifications during the exposure window.
6. Rotate all credentials stored in Veeam (VMware vCenter, Hyper-V hosts, Windows backup credentials) if exploitation is suspected.