A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.
Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.
The vulnerability discussed in this article was resolved starting in:
- Veeam Recovery Orchestrator 7.1.0.230
- Veeam Recovery Orchestrator 7.0.0.379