CVE-2024-29849 Detection: A Critical Auth Bypass In Veeam Backup Enterprise Manager
Table of contents:
Another day, another threat on the radar challenging cyber defenders. This time, cybersecurity heads-up refers to a nefarious flaw identified across Veem Backup Enterprise Manager (VBEM) enabling adversaries to bypass authentication and obtain full access to the platform’s web interface. Tracked as CVE-2024-29849, the bug achieved a 9.8 CVSS score, posing an increasing menace with the PoC publicly released.
Detect CVE-2024-29849 Exploits
The latest stats reveal that 18,000+ vulnerabilities have already been identified in 2024, marking an increase of 46% compared to this time last year. With the escalating amount of flaws weaponized for in-the-wild attacks, security professionals are seeking a reliable source of curated detection rules and verified hunting queries to stay ahead of adversaries.
Using SOC Prime’s Platform for collective cyber defense, security experts gain access to a global rule feed of the latest ready-to-deploy behavioral detection algorithms available under a 24-hour SLA after threat discovery. To identify possible malicious activity linked to CVE-2024-29849 exploitation attempts, check out a Sigma rule below.
Possible CVE-2024-29849 (Veeam Backup Authentication Bypass) Exploitation Attempt (via webserver)
The detection is compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework v14. Additionally, detections are enriched with extensive metadata, including CTI references and attack timelines, helping security researchers smooth out threat investigations.
Searching for more detection content that addresses the Proactive Vulnerability Detection use case? Cyber defenders can dive into the entire detection stack aimed at vulnerability exploit detection by hitting the Explore Detections button below to boost SOC efficiency and secure organizational infrastructure.
CVE-2024-29849 Analysis
A critical VBEM security bug (CVE-2024-29849) has recently hit the headlines. The vendor released an advisory, notifying customers about a novel vulnerability that enables threat actors to overcome authentication protection upon its successful exploitation.Â
The vendor also revealed three additional security bugs affecting the same product, including CVE-2024-29850 which could lead to account compromise via NTLM relay, CVE-2024-29851, enabling a user with elevated privileges to pilfer NTLM hashes of a VBEM service account unless it’s configured to run as the default Local System account, and CVE-2024-29852, permitting an authorized user to retrieve backup session logs.
Earlier, adversaries weaponized vulnerabilities in Veeam products against organizations in the U.S. and Latin America, particularly, CVE-2023-27532, a security bug in Veeam Backup & Replication software.
Since a PoC for CVE-2024-29849 has surfaced online, it’s imperative that administrators promptly install the most recent security patches. To remediate the risks of weaponized attacks, the vendor has instantly addressed the patches in the VBEM version 12.1.2.172. For those unable to patch to the above-referenced VBEM version, defenders recommend limiting access to the VBEM web interface to trusted IP addresses, enabling MFA, and continuously keeping track of access logs for suspicious activity as temporary CVE-2024-29849 mitigation measures.
Since the risks of attacks weaponizing known vulnerabilities in popular software products leveraged by global enterprises are continuously escalating, defenders are searching for ways to take proactive threat detection to the next level. Explore SOC Primes’ newly released Enterprise Fair Use Licensing Model to gain unlimited threat detection and detection engineering capabilities with no limits related to content unlocking at no extra cost, helping your organization proactively defend against emerging and evergreen threats.