NAVANEM
CVE-2024-29849

Veeam Backup Enterprise Manager, authentication bypass

Vulnerability in Veeam Backup Enterprise Manager allows unauthenticated attackers to log in to the Veeam Backup Enterprise Manager web interface as any user.

Overview

CVE-2024-29849 is a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager (VBEM), the web-based dashboard used to aggregate and manage multiple Veeam Backup & Replication servers. The vulnerability allows an unauthenticated network attacker to log in to the VBEM web interface as any user, including administrators, without providing valid credentials. Given that Veeam is the dominant backup solution for SMB environments and VBEM typically has visibility into an organization's entire backup infrastructure, this vulnerability represents a high-value target for ransomware operators.

Technical Details

The vulnerability exists in the authentication mechanism of the Veeam Backup Enterprise Manager web interface. An attacker with network access to the VBEM web UI can bypass the authentication process entirely and gain access as any user account configured in the system. The flaw is exploitable in default configurations, meaning no special setup or misconfiguration is required for exploitation.

Once authenticated to VBEM, an attacker can leverage the trust relationships established between VBEM and connected Veeam Backup & Replication servers to extend their access across the backup infrastructure. This includes the ability to browse backup configurations, view backup metadata for all protected workloads, and potentially interact with linked B&R servers.

Impact

The impact of this vulnerability is severe. Successful exploitation grants attackers:

  • Full administrative access to the VBEM web interface
  • Visibility into backup configurations and metadata for the entire protected environment
  • Ability to disable or modify backup jobs
  • Potential capability to trigger restores, including potentially tampered backup images
  • Access to linked Veeam Backup & Replication servers via trust relationships

For ransomware actors, compromising backup infrastructure is a strategic priority, neutralizing backups before encrypting production systems eliminates the victim's recovery options. Ransomware groups including Conti and Cuba have historically targeted Veeam infrastructure, making post-disclosure exploitation highly likely.

Mitigation

  1. Patch immediately: Upgrade to Veeam Backup Enterprise Manager version 12.1.2.172 or later
  2. Remove if unused: Many environments have VBEM installed by default but do not actively use it, uninstall the component entirely if not required
  3. Network segmentation: Place VBEM behind a VPN or restrict web UI access to management networks only
  4. Review access controls: Audit user accounts and permissions within VBEM

Detection

Organizations should review VBEM audit logs for unfamiliar or suspicious login activity during the exposure window prior to patching. Look for logins from unexpected IP addresses, unusual user accounts, or access patterns outside normal administrative hours. No confirmed public exploitation was reported at the time of the initial advisory (May 2024), but given the critical nature and ease of exploitation, assume active scanning and exploitation attempts.