Skip to main content

Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855)

Stabz
Forum|alt.badge.img+8
  • Stabz
  • On the path to Greatness
  • 351 comments

Hello guys,

A new vulnerability find in the Web Console component of Veeam Recovery Orchestrator.

Issue Details

CVE-2024-29855

A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.

Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.

SeverityCritical
CVSS 3.1 Score: 9.0
 

Solution

The vulnerability discussed in this article was resolved starting in:

  • Veeam Recovery Orchestrator 7.1.0.230
  • Veeam Recovery Orchestrator 7.0.0.379


More info in the KB4585, a patch is already available :) : https://www.veeam.com/kb4585

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/

    1 comment

    Chris.Childerhose
    Forum|alt.badge.img+21
    • Chris.Childerhose
    • Veeam Legend, Veeam Vanguard
    • 8402 comments
    • June 10, 2024

    Nice to see that Veeam already patched this one.  Thanks for sharing Stabz.

    Will keep this in mind when I start playing with VRO again.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

    Comment


    Terms & Conditions