Dive Brief:
- Threat
groups are actively exploiting a critical vulnerability in Veeam Backup
and Replication for ransomware attacks, researchers and federal cyber
authorities said. Veeam disclosed the vulnerability, which has a CVSS score of 9.8, in a Sept. 4 security bulletin along with five other vulnerabilities in the enterprise backup software. - The Cybersecurity and Infrastructure Security Agency added CVE-2024-40711 to its known exploited vulnerabilities catalog on
Thursday and said it’s known to be used in ransomware attacks. The
deserialization vulnerability allows an unauthenticated attacker to
perform remote code execution. - Researchers
at Sophos X-Ops tracked at least four ransomware attacks involving
CVE-2024-40711 exploits earlier this month. The cybersecurity vendor’s
threat response team said it observed attacks linked to Akira and Fog
ransomware variants. “In each of the cases, attackers initially access
targets using compromised VPN gateways without multifactor
authentication enabled,” Sophos X-Ops said in an Oct. 11 post on social platform X.
Exploits
and ransomware attacks linked to CVE-2024-40711 follow a common
sequence, underscoring the sustained exposure and longtail impact of
software vulnerabilities.
Veeam
patched the vulnerability in a software update, Veeam Backup and
Replication v12.2, on Aug. 28, version 12.2, Heidi Monroe Kroft, senior
director of corporate communications and global public relations at
Veeam, said via email Monday. “This was directly communicated to all
impacted Veeam customers.”
Vulnerability researchers from Censys and Rapid7 sounded
the alarm after the critical software defect in the popular enterprise
product was patched and disclosed. Partial proof-of-concept exploit code
was released within days of the public CVE disclosure.
Sophos
X-Ops began tracking active exploits involving ransomware more than a
month after Veeam resolved the vulnerability in a software update.
CVE-2024-40711 affects Veeam Backup and Replication version 12.1.2.172
and prior version 12 builds.
The application is used by enterprises to backup, replicate and restore virtual, physical and cloud machines.
“As a result of its popularity, it’s also a prime target for adversaries, including ransomware groups,” Caitlin Condon, director of vulnerability intelligence at Rapid7,
said Monday via email. “More than 20% of Rapid7 incident response cases
in 2024 have involved Veeam being accessed or exploited in some manner,
typically once an adversary has already established a foothold in the
target environment.”
Threat
groups exploited previous Veeam Backup and Replication vulnerabilities
months after disclosure, and almost a year later in one case, Condon
said.
Veeam declined to say how many customers have patched or been impacted by the vulnerability.
Himaja Motheram, security researcher at Censys,
said the number of exposed Veeam Backup and Replication servers has
remained fairly consistent since the CVE was disclosed, dropping from
2,833 exposed instances on Sept. 6 to 2,784 exposed hosts as of Monday.
The
exposed instances are mostly concentrated in Europe, according to
Censys. The digital arm of the U.K.’s National Health Service issued a
cybersecurity alert about active exploitation of CVE-2024-40711 on Oct. 11.
Reference
Cybersecurity Dive. (2025). Critical Veeam CVE actively exploited in ransomware attacks.
https://cybersecuritydive.blogspot.com/2025/04/critical-veeam-cve-actively-exploited.html