Unauthenticated RCE in Veeam Backup & Replication
CVE-2024-40711 is a critical deserialization of untrusted data vulnerability in Veeam Backup & Replication (also referred to in the content as Veeam Backup & Recovery). The flaw allows a remote, unauthenticated attacker to send a crafted malicious serialized payload to a vulnerable Veeam Backup & Replication service and trigger remote code execution. The issue is described as affecting Veeam Backup & Replication version 12.1.2.172 and earlier 12.x builds; other content also summarizes the affected range as versions up to and including 12.1.2. The vulnerability has been assigned CVSS 9.8 and has been observed in real-world ransomware intrusion chains.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a proof-of-concept (PoC) exploit for CVE-2024-40711, targeting unsafe .NET object deserialization in Microsoft .NET Framework 4.8 applications. The core exploit logic is implemented in C# within the 'ExploitClass' and 'GhostWebShell' classes. The exploit demonstrates multiple payloads, including displaying a message box, writing files to disk, making DNS requests for out-of-band detection, executing arbitrary system commands, and deploying a persistent ASP.NET webshell by registering a custom VirtualPathProvider. The webshell is written to a virtual path (e.g., /fakepath31337/ghostfile.aspx) and can persist across application restarts. The exploit requires the target application to deserialize attacker-controlled data using vulnerable gadget chains. The repository also includes a test console application for local code execution testing and various package dependencies. The exploit is operational and provides real payloads for code execution and persistence, making it a valuable tool for both offensive security testing and defensive research.
This repository is a comprehensive proof-of-concept and exploitation toolkit for CVE-2024-40711, a critical .NET deserialization vulnerability affecting Veeam Backup & Replication. The core of the repository is based on ysoserial.net, a well-known framework for generating .NET deserialization payloads using various gadget chains. The structure includes: - **ysoserial**: The main payload generator, supporting multiple gadgets and formatters for .NET deserialization attacks. - **ExploitClass/ExploitClass.cs**: Example C# class for custom payloads, demonstrating code execution (e.g., message box, file creation, DNS exfiltration, command execution). - **ExploitClass/GhostWebShell.cs**: Implements a webshell dropper via virtual path provider manipulation, allowing persistent webshell deployment on vulnerable ASP.NET applications. - **TestConsoleApp**: Used for local testing of code execution. - **ExploitRemotingService**: Example .NET Remoting server for testing and exploitation. The exploit works by generating a malicious serialized payload (using ysoserial.net) that, when deserialized by a vulnerable .NET application (such as Veeam's Remoting service), results in arbitrary code execution. The toolkit supports a variety of payloads, including command execution, file creation, and webshell deployment. The main attack vector is network-based, targeting the .NET Remoting TCP service (commonly on port 6170). The repository also provides example endpoints and payloads for exfiltration and post-exploitation (e.g., DNS, HTTP, file system). Overall, this is a weaponized, operational exploit framework for CVE-2024-40711, suitable for both research and real-world exploitation scenarios.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Veeam Backup & Replication unauthenticated remote code execution vulnerability used by Akira as an alternative initial access vector.
Referenced in the actor’s operational notes as a potential exploit target; the report indicates the actor generally failed when attempting exploitation beyond basic automated paths.
A deserialization-based remote code execution vulnerability in Veeam Backup & Replication.
A known vulnerability in Veeam Backup & Replication that the threat actor attempted to exploit during post-compromise activity against backup infrastructure.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.