Skip to main content

Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855)


Stabz
Forum|alt.badge.img+8
  • On the path to Greatness
  • 351 comments

Hello guys,

A new vulnerability find in the Web Console component of Veeam Recovery Orchestrator.

Issue Details

CVE-2024-29855

A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.

Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.

SeverityCritical
CVSS 3.1 Score: 9.0
 

Solution

The vulnerability discussed in this article was resolved starting in:

  • Veeam Recovery Orchestrator 7.1.0.230
  • Veeam Recovery Orchestrator 7.0.0.379


More info in the KB4585, a patch is already available :) : https://www.veeam.com/kb4585

1 comment

Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 8402 comments
  • June 10, 2024

Nice to see that Veeam already patched this one.  Thanks for sharing Stabz.

Will keep this in mind when I start playing with VRO again.


Comment