On May 21, 2024, Veeam revealed a severe flaw across its Veeam Backup Enterprise Manager (VBEM) web interface that enables an unauthenticated attacker to log into the web interface as any user. Officially designated as CVE-2024-29849, the vulnerability presents a major threat with a CVSS V3 rating of 9.8 (critical). VBEM is a web-based platform that allows administrators to oversee Veeam Backup and Replication installations through a web interface console. Hence, threat actors might exploit CVE-2024-29849 to carry out harmful activities, including obtaining unauthorized access to confidential information, altering data, or interrupting operations. Details about the exploit In a detailed research report released by Summoning Team, the flaw was identified on the TCP port 9398, which serves as a REST API server for the primary web application. The exploitation method involves transmitting a specially crafted VMware single-sign-on (SSO) token to the vulnerable service via the Veeam API. This token includes an authentication request that mimics an administrator user and an SSO service URL that Veeam does not validate. The base64-encoded SSO (Single Sign Out) token is decoded and processed as XML to confirm its validity through a SOAP request sent to a URL controlled by the attacker. The attacker's rogue server responds affirmatively to validation requests, leading Veeam to accept the authentication request and grant administrator access to the attacker. Source: Summoning Team…Read More