HomeCyber BalkansVeeam Backup BinaryFormatter Vulnerability Allows Remote Code Execution

Veeam Backup BinaryFormatter Vulnerability Allows Remote Code Execution

Published on

spot_img

Newly Discovered Vulnerability in Veeam Backup & Replication Systems

A recently uncovered deserialization vulnerability, assigned the identifier CVE-2026-44963, poses a significant threat to users of Veeam Backup & Replication (VBR). This flaw enables authenticated domain users to execute arbitrary code on backup servers by manipulating vulnerabilities in the handling of BinaryFormatter. Notably, this vulnerability has garnered attention due to its potential implications for IT security and data integrity across enterprise environments.

The issue has been thoroughly examined by security researchers at SecureLayer7 Labs, who highlighted it as part of a troubling trend involving flaws within Veeam’s .NET Remoting attack surface. The existing blacklisting protections are ineffective, failing to adequately safeguard against the exploitation of inherently unsafe deserialization methodologies.

Understanding Veeam Backup & Replication’s Role

Veeam Backup & Replication is a widely deployed backup solution utilized in enterprise settings for managing backup, replication, and disaster recovery tasks across various workload environments, including virtual, physical, and cloud infrastructures. The Backup Server serves as a crucial component in this ecosystem, acting as the central hub for managing backup jobs, storing credentials, and coordinating the infrastructure essential for robust data protection.

Due to its pivotal role, the Backup Server frequently becomes a target for ransomware attackers. Such malicious actors often aim to delete or manipulate backups before executing harmful payloads, thereby compromising the security and recoverability of vital data.

Mechanisms of Exploitation

The vulnerability is located within the Veeam Backup Service (Veeam.Backup.Service.exe), which operates on TCP port 8000, exposing a .NET Remoting HTTP endpoint at the /trigger path. This service utilizes BinaryFormatter deserialization encapsulated in a custom CProxyBinaryFormatter, designed to operate with a RestrictedSerializationBinder configured in FilterByBlacklist mode.

However, the design fails to enforce strict type safety. It only disables known dangerous classes while unwittingly trusting all other serializable types. Consequently, the structure becomes vulnerable to exploitation. Specifically, CVE-2026-44963 capitalizes on this design weakness by leveraging a previously unrecognized [Serializable] class that bypasses the blocklist, instigating unauthorized code execution during deserialization.

This attack only necessitates authentication from low-privilege domain users, as the authorization check merely confirms membership within WindowsBuiltInRole.User—a category that includes all domain users by default. Such a lack of privilege separation allows attackers to access the vulnerable deserialization sink without requiring administrative permissions.

The Attack Sequence

The exploitation process involves a sophisticated three-step interaction through Windows Communication Foundation (WCF). Initially, the RestoreJobSessionsDbScopeCreateSession method establishes a session context, followed by the OpenVbRestoreSession, which initializes the deserialization environment. The final step, ExecuteStartAgentSessionTrafficProxy, is responsible for delivering the malicious BinaryFormatter payload. CProxyBinaryFormatter processes this payload using Deserialize(), leading to a chain of events that exploit a vulnerability entrenched in the deserialization of System.Data.DataSet classes.

The core of the exploit revolves around the DataSet deserialization constructor, which interprets an attacker-supplied XML schema containing a specially crafted xsi:type reference. This design enables the instantiation of arbitrary .NET classes, specifically System.Windows.Data.ObjectDataProvider. By manipulating properties like ObjectInstance, MethodName, and MethodParameters, attackers can run commands using Process.Start, executing arbitrary commands within the context of the Veeam Backup Service, typically running with SYSTEM privileges.

The Root Cause and Recommended Actions

The crux of this vulnerability stems from Veeam’s continued reliance on BinaryFormatter, which Microsoft has classified as outdated and inherently dangerous since .NET version 5. The blocklisting approach evidently fails, as it cannot foresee all possible gadget classes, particularly those derived from DataSet, which could expose code-execution vulnerabilities. Each newly-discovered Common Vulnerability and Exposure (CVE) related to this category echoes a consistent pattern of unveiling new classes overlooked by the blocklist.

For instance, patch analysis regarding Veeam version 12.3.2.4854 (KB4696) indicates that the resolution for CVE-2026-44963 primarily involved adding the newly discovered gadget class to the embedded BinaryFormatter.blacklist.txt resource. Importantly, no architectural modifications were introduced to eliminate BinaryFormatter or redesign the deserialization pipeline, allowing the broader attack surface to remain largely intact. In contrast, Veeam version 13.x has successfully eradicated the BinaryFormatter-based pipeline, thereby enhancing immunity against similar vulnerabilities.

Security experts emphasize the importance of recognizing the implications of CWE-502 (Deserialization of Untrusted Data). The vulnerability underlines the inherent risks associated with relying solely on blacklist-based defenses.

Organizations currently operating on Veeam version 12.x are strongly advised to apply any available patches immediately, restrict network access to TCP port 8000, and contemplate the implementation of backup servers in workgroup mode to minimize exposure to domain-based authentication threats.

Source link

Latest articles

Keyfactor Secures $1 Billion to Enhance Crypto Trust Platform

CEO Jordan Rackie Highlights AI, Regulation, and Quantum Computing as Key Demand Drivers A trust...

AI Agent Hacks Network, Adapts in Real Time, and Demands Ransom

Adaptive decision-making within cybersecurity is becoming an increasingly pressing concern among experts in the...

7 Common Pitfalls to Avoid in Cyber Risk Assessment

Cyber risk assessments are integral to safeguarding organizations against potential security threats. Yet, a...

More like this

Keyfactor Secures $1 Billion to Enhance Crypto Trust Platform

CEO Jordan Rackie Highlights AI, Regulation, and Quantum Computing as Key Demand Drivers A trust...

AI Agent Hacks Network, Adapts in Real Time, and Demands Ransom

Adaptive decision-making within cybersecurity is becoming an increasingly pressing concern among experts in the...

7 Common Pitfalls to Avoid in Cyber Risk Assessment

Cyber risk assessments are integral to safeguarding organizations against potential security threats. Yet, a...