#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

35 C
Dubai
Tuesday, July 1, 2025
HomeTopics 1Backup Solution & Disaster RecoveryCritical Veeam Backup & Replication Vulnerability Under Active Exploitation

Critical Veeam Backup & Replication Vulnerability Under Active Exploitation

Date:

Related stories

Google Urgently Patches CVE‑2025‑6554 Zero‑Day in Chrome 138 Stable Update

On 26 June 2025, Google rapidly deployed a Stable Channel update...

French Police Arrest Five Key Operators Behind BreachForums Data-Theft Platform

On 25 June 2025, France’s specialist cybercrime unit (BL2C) detained five...

Cybercriminals Weaponized Open-Source Tools in Sustained Campaign Against Africa’s Financial Sector

Since mid-2023, a cybercriminal cluster dubbed CL‑CRI‑1014 has been...

Critical TeamViewer Remote Management Flaw Allows SYSTEM‑Level File Deletion

A high‑severity vulnerability, CVE‑2025‑36537, has been identified in TeamViewer...
spot_imgspot_imgspot_imgspot_img

A critical vulnerability in Veeam Backup & Replication (CVE-2024-40711) has recently come under active exploitation, with attackers leveraging this flaw to deploy ransomware, steal sensitive data, and compromise systems. The vulnerability, exploited through unsecured VPN gateways and unpatched systems, has affected organizations globally, leading to incidents involving ransomware families such as Fog and Akira. As cybercriminals continue to evolve their tactics, cybersecurity professionals must remain vigilant, prioritize timely patching, and enhance defenses to mitigate this growing threat.

Details of the Veeam Backup & Replication Vulnerability (CVE-2024-40711)

Veeam, a widely used backup and recovery solution, has become the latest target of sophisticated cyberattacks. Exploited through a known vulnerability, CVE-2024-40711, the attackers are taking advantage of organizations that have not updated their systems or are running unsupported versions of VPN software. The flaw lies in the Veeam.Backup.MountService.exe service, accessible through the URI /trigger on port 8000. Once exploited, the vulnerability allows the creation of a local account—typically named “point”—which is added to the Administrators and Remote Desktop Users groups, granting full access to the compromised system.

In several observed cases, attackers used this access to attempt ransomware deployment, notably Fog and Akira ransomware. According to Sophos X-Ops MDR and Incident Response teams, four separate attacks over the past month have involved these ransomware variants, with the attackers initially breaching targets through compromised VPN credentials.

In one case, a Fog ransomware attack targeted an unprotected Hyper-V server, using the rclone utility to exfiltrate data. The attack illustrates the severity of leaving known vulnerabilities unpatched and the importance of securing remote access points such as VPN gateways. Fortunately, Sophos endpoint protection and managed detection and response (MDR) services successfully thwarted several ransomware deployments, preventing what could have been catastrophic data losses.

“Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware. In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks. In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled. Some of these VPNs were running unsupported software versions. Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, “point,” adding it to the local Administrators and Remote Desktop Users groups. In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data. Sophos endpoint protection and MDR prevented ransomware deployments in the other cases. These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. Sophos X-Ops continues to track this threat behavior.” Sophos X-op Said.

Active exploitation of CVE-2024-40711

Security researchers have reported CVE-2024-40711 is under active exploitation by ransomware groups. These groups are reportedly exploiting CVE-2024-40711 as a second stage exploit to create new local Administrator accounts to facilitate further objectives on compromised networks. Reports warn of exploitation attempts since shortly after official disclosure by Veeam. Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in the wild by ransomware groups shortly after official disclosure, and the NHS England National CSOC assess exploitation of CVE-2024-40711 as highly likely to continue.” NSH England Said.

Key Attack Methods:

  • Attackers accessed targets through compromised VPN gateways without multifactor authentication (MFA) enabled, further exploiting VPNs running outdated or unsupported software.
  • The vulnerability was triggered on port 8000, allowing attackers to create new local administrator accounts.
  • Ransomware like Fog and Akira was deployed following system compromise, with data exfiltrated using tools like rclone.

This recent spate of attacks underscores the importance of patching known vulnerabilities, particularly in widely used systems like Veeam. Organizations must also ensure their remote access methods are secured with MFA and that unsupported software is updated or replaced promptly.

“Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos – no technical details from us this time because this might instantly be abused by ransomware gangs” CODE WHITE GmbH Said.

10 Tips to Avoid Future Exploitation of Such Vulnerabilities:

To mitigate the risks posed by this and other vulnerabilities, cybersecurity professionals should implement the following best practices:

  1. Regularly Patch and Update Software
    Ensure that all critical systems, including backup solutions like Veeam, are kept up to date with the latest security patches. This will close vulnerabilities like CVE-2024-40711 before they can be exploited.
  2. Enforce Multifactor Authentication (MFA)
    Implement MFA for all remote access points, including VPNs and administrative logins, to add an extra layer of security. This step is crucial in preventing unauthorized access even if credentials are compromised.
  3. Replace Unsupported Software
    Running outdated or unsupported software increases the likelihood of vulnerabilities being exploited. Ensure that all systems, especially VPN gateways, are updated or replaced with supported versions.
  4. Conduct Regular Security Audits
    Regular audits can help identify vulnerabilities in your infrastructure before attackers do. These audits should focus on both software patches and configuration issues.
  5. Monitor for Suspicious Account Activity
    Enable monitoring for the creation of new user accounts, particularly administrative accounts. In this case, the creation of the “point” account could have been a red flag if proactive monitoring was in place.
  6. Restrict Administrative Access
    Limit administrative access to critical systems only to authorized personnel and require justifications for any new administrative accounts. Use least privilege principles where possible.
  7. Isolate Critical Backup Systems
    Backup systems like Veeam should be isolated from the rest of the network where possible. This isolation prevents ransomware from easily spreading across systems once access is gained.
  8. Implement Endpoint Detection and Response (EDR)
    Use advanced EDR tools to monitor for unusual behavior, such as the execution of ransomware or unauthorized account creation. In several cases, Sophos EDR prevented ransomware deployment, showcasing its value.
  9. Test Incident Response Plans
    Regularly test and update your incident response plans. Knowing how to respond to a ransomware attack or data breach can significantly reduce the impact of an incident.
  10. Secure Hyper-V and Virtual Environments
    Hyper-V and other virtualization platforms should be secured with robust access controls and regular monitoring to prevent attackers from targeting virtual machines, as seen in the Fog ransomware incident.

Conclusion:

The active exploitation of the Veeam Backup & Replication vulnerability (CVE-2024-40711) is a stark reminder of the critical need for vigilance in cybersecurity. Unpatched systems, unsecured remote access points, and outdated software are prime targets for cybercriminals, as demonstrated by the recent ransomware attacks involving Fog and Akira. By following best practices such as patching, enabling MFA, and conducting regular audits, organizations can significantly reduce their exposure to these threats.

As attackers continue to evolve their tactics, cybersecurity professionals must remain proactive, staying ahead of potential exploits and reinforcing their defenses. The Veeam vulnerability may not be the last, but with the right security posture, it doesn’t have to lead to a successful breach.

Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!

Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here