Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855)

9 months ago
June 10, 2024
1 comment
48 views

+8

Stabz
On the path to Greatness
351 comments

Hello guys,

A new vulnerability find in the Web Console component of Veeam Recovery Orchestrator.

Issue Details

CVE-2024-29855

A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.

Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.

Severity: Critical
CVSS 3.1 Score: 9.0

Solution

The vulnerability discussed in this article was resolved starting in:

Veeam Recovery Orchestrator 7.1.0.230
Veeam Recovery Orchestrator 7.0.0.379

More info in the KB4585, a patch is already available :) : https://www.veeam.com/kb4585

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
8420 comments
9 months ago
June 10, 2024

Nice to see that Veeam already patched this one. Thanks for sharing Stabz.

Will keep this in mind when I start playing with VRO again.

Solution

Comment

Related topics

Vulnerability Scanner Detection Related to CVE-2023-38545

NIST Cybersecurity Framework 2.0 and how Veeam can help your organization

Vulnerability CVE-2023-38546icon

Veeam One Multiple Vulnerabilities - CVE-2023-38547 | CVE-2023-38548 CVE-2023-38549 | CVE-2023-41723

Incredible Scanning, Study Resources and Scaling in the Cloud

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded