How to Fix CVE-2024-40711: Veeam Backup & Replication Deserialization RCE
*By Sai Kiran Pandrala*
| Severity | CVSS 9.8, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV. Akira and Fog ransomware actively use it. |
| Affected | Veeam Backup & Replication 12.1.2.172 and earlier |
| Fixed in | VBR 12.2 build 12.2.0.334 or later (per Veeam KB4649) |
| Type (CWE) | CWE-502: Deserialization of Untrusted Data |
โ ๏ธ Patch immediately. Backup servers are a ransomware crew's primary target, compromise the backups, then encrypt production. Active exploitation is widespread.
What is CVE-2024-40711?
Veeam Backup & Replication (VBR) is the most widely-deployed enterprise backup product. A deserialization-of-untrusted-data flaw in VBR lets an unauthenticated remote attacker send a crafted serialized payload that VBR deserializes, instantiating attacker-controlled classes and executing arbitrary code as the VBR service account (typically Local System on Windows).
The Veeam advisory rates this CVSS 9.8 and explicitly notes it does not require authentication. Once an attacker has code execution on the backup server, they can:
- Read backup catalogs to map the protected environment
- Modify retention policies to shorten recovery windows
- Delete backup chains to remove restoration options
- Use stored credentials VBR uses for backup proxies and vCenter
Akira and Fog ransomware operators have publicly documented using this CVE as part of their pre-encryption playbook, destroy the backups first, then encrypt.
Am I affected?
You are affected if you run Veeam Backup & Replication at any version up to and including 12.1.2.172.
Check your VBR version: open the Veeam console โ Help โ About, or PowerShell:
Get-VBRVersion
How to fix CVE-2024-40711
- Open Veeam KB4649 linked below for the exact fixed build and any prerequisite components that need patching.
- Back up the Veeam configuration database before upgrading:
- Console โ Backup Infrastructure โ Configuration Backup โ Backup now
- Download VBR 12.2 build 12.2.0.334 (or the latest current 12.2.x build) from the Veeam customer portal.
- Stop Veeam services:
Get-Service -Name "Veeam*" | Stop-Service -Force
- Run the VBR installer in upgrade mode. The installer preserves the configuration database and component registrations.
- Restart Veeam services when the installer completes.
- Verify with
Get-VBRVersion.
For distributed deployments (separate backup proxies, repositories, mount servers), upgrade the components per the order in the Veeam Upgrade Guide. The backup server itself must be upgraded first; components follow.
If you can't patch immediately
- Take the Veeam backup server off any network it doesn't need to reach. VBR should communicate only with backup proxies, repositories, vCenter/Hyper-V, and the management workstation. Public internet access is rarely needed.
- Restrict the Veeam port (TCP 9392 by default) at the host firewall and network firewall to known administrative IPs.
- Disable any remote VBR console access that is not strictly required.
These reduce exposure but do not remediate. The deserialization sink is in the core service.
How to verify the fix worked
- PowerShell:
Get-VBRVersion
Output should be 12.2.0.334 or later.
- Run an authenticated vulnerability scan against the VBR server. CVE-2024-40711 detection should clear.
- IoC hunt (essential, exploitation predates the public KB):
- Review the Veeam configuration database for unfamiliar admin user accounts created during the affected window.
- Check the Windows Event Log on the VBR server for unusual service-account logons.
- Look for unfamiliar backup jobs, retention modifications, or repository deletions in the Veeam history.
- Check the file system on the VBR server for unexpected binaries dropped during the unpatched period.
Frequently asked questions
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2024-29849: Veeam Backup Enterprise Manager allows unauthenticated users to log in as any... in Backup & Replication โ Veeam Backup Enterprise Manager allows unauthenticated users to log in as any... in Backup & Replication
- How to Fix CVE-2024-45076: Unrestricted Upload of File with Dangerous Type in webMethods Integration โ Unrestricted Upload of File with Dangerous Type in webMethods Integration
- How to Fix CVE-2024-8957: OS Command Injection in Ptzoptics PT30X-NDI , OS Command Injection in Ptzoptics PT30X-NDI
- How to Fix CVE-2024-1708: Path Traversal in Connectwise ScreenConnect , Path Traversal in Connectwise ScreenConnect
- How to Fix CVE-2024-6886: Cross-Site Scripting in Gitea Open Source Git Server , Cross-Site Scripting in Gitea Open Source Git Server
Is CVE-2024-40711 still being exploited?
Yes. Akira, Fog, and several other ransomware affiliates continue to target unpatched Veeam servers. Any internet-reachable or DMZ-deployed VBR at the affected version should be assumed compromised.
Does Veeam Cloud Connect protect me?
Veeam Cloud Connect adds a network layer but does not patch this vulnerability on your backup server. The fix applies to the VBR install regardless of how backup data is transferred.
What about Veeam ONE or Veeam Service Provider Console?
This CVE is scoped to VBR. Veeam ONE and other Veeam products have separate advisories, check the Veeam KB section for each product.
References
- Official Veeam KB4649: https://www.veeam.com/kb4649
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40711
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
*This guide was assembled from Veeam KB4649, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Veeam's advisory before applying changes in production.*