Skip to main content

Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855)

  • June 10, 2024
  • 1 comment
  • 53 views
Stabz
Forum|alt.badge.img+8

Hello guys,

A new vulnerability find in the Web Console component of Veeam Recovery Orchestrator.

Issue Details

CVE-2024-29855

A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.

Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.

SeverityCritical
CVSS 3.1 Score: 9.0
 

Solution

The vulnerability discussed in this article was resolved starting in:

  • Veeam Recovery Orchestrator 7.1.0.230
  • Veeam Recovery Orchestrator 7.0.0.379


More info in the KB4585, a patch is already available :) : https://www.veeam.com/kb4585

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
    Chris.Childerhose
    marco_s
    Geoff Burke

    1 comment

    Chris.Childerhose
    Forum|alt.badge.img+21

    Nice to see that Veeam already patched this one.  Thanks for sharing Stabz.

    Will keep this in mind when I start playing with VRO again.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    Terms & ConditionsAccessibility statement