CVE-2024-40711
CVE-2024-40711 is a critical-severity vulnerability in Veeam Veeam Backup & Replication with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-17). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-10-17)
- EU (EUVD) id: EUVD-2024-38578
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-10-17)
- Weakness: CWE-502
- Affected product: Veeam Veeam Backup & Replication
- Published:
- Last modified:
Description
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
CVE-2024-40711: Veeam Backup & Replication Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-40711 |
| Product | Veeam Backup & Replication |
| CVSS v3 | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-502: Deserialization of Untrusted Data |
| EPSS | 0.88193 (99.75th percentile) |
| KEV | Listed (2024-10-17) |
| EU Exploited | Yes (since 2024-10-17) |
Summary
CVE-2024-40711 is a critical deserialization-of-untrusted-data vulnerability in Veeam Backup & Replication. An unauthenticated remote attacker can send a malicious serialized payload to the application, which is then deserialized without adequate validation, resulting in remote code execution (RCE) on the backup server.
Background
Veeam Backup & Replication is a widely deployed enterprise backup and disaster-recovery platform. In September 2024, a critical vulnerability was publicly disclosed in the product. The flaw resides in the way the application handles serialized data from remote, unauthenticated sources, a class of weakness that has historically affected many Java and .NET applications.
Root Cause — CWE-502
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The application accepts and deserializes attacker-controlled input through a network-facing endpoint. Because the deserialization routine instantiates arbitrary object types and can trigger side effects (such as method invocations or resource initialization), a carefully crafted payload can chain existing gadget classes to achieve arbitrary code execution on the underlying operating system.
Impact
The National Vulnerability Database (NVD) assigns this flaw a CVSS v3.1 score of 9.8 (Critical).
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | None |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
The combination of Network reachability, Low attack complexity, and No privileges or user interaction means that any internet-exposed or internally reachable Veeam server is at high risk. Successful exploitation grants the attacker full control over the backup infrastructure, with direct impact on confidentiality, integrity, and availability.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the attack flow from a defender's viewpoint. No weaponized exploit code is provided.
- Reconnaissance — The attacker identifies a Veeam Backup & Replication instance (commonly on TCP ports 9392 or 9401).
- Payload Crafting — The attacker constructs a serialized object payload designed to exploit the deserialization sink. The payload leverages known gadget chains available in the application's dependency tree.
- Delivery — The payload is transmitted to a network-facing endpoint that accepts serialized input (e.g., a remoting or management channel).
- Deserialization Trigger — The server deserializes the payload. During object reconstruction, a chain of method calls is executed, culminating in operating-system command execution.
- Post-Exploitation — With code execution achieved, the attacker can pivot laterally, exfiltrate backup data, deploy ransomware, or maintain persistence.
Affected and Patched Versions
The vulnerability affects Veeam Backup & Replication. Specific version ranges are not available in the disclosed metadata. Administrators should consult Veeam KB4649 for the authoritative list of affected and patched releases.
Remediation
- Upgrade — Apply the patched version as specified in Veeam KB4649 as soon as possible.
- Network Segmentation — Restrict network access to Veeam management and remoting ports to authorized administrative hosts only. Do not expose these interfaces to the public internet.
- Compensating Controls —
- Deploy a Web Application Firewall (WAF) or intrusion-prevention system (IPS) with signatures for anomalous serialized object traffic.
- Enforce VPN or jump-host access for remote administration.
- Maintain offline, immutable backups to recover in the event of compromise.
Detection
- Network — Monitor for unexpected serialized-object traffic (e.g., Java serialized streams, .NET BinaryFormatter, or other known serialization formats) directed at Veeam endpoints.
- Endpoint — Alert on anomalous process spawning (e.g.,
cmd.exe,powershell.exe, or unexpected child processes) from Veeam service accounts. - Authentication — Review logs for unauthorized access attempts to Veeam's remoting or REST APIs from unexpected source IPs.
Assessment
With an EPSS score of 0.88193 (99.75th percentile) and inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on 2024-10-17, this vulnerability is being actively exploited in the wild. The EU also lists it as exploited since the same date. Organizations running unpatched instances should treat this as an immediate, high-priority incident.
Key lessons:
- Deserialization of untrusted data remains one of the highest-impact vulnerability classes in enterprise software.
- Backup infrastructure is a prime target for ransomware operators; strict network isolation and rapid patching are essential.
References
Frequently asked questions
- What is CVE-2024-40711?
- A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
- How severe is CVE-2024-40711?
- CVE-2024-40711 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-40711 being actively exploited?
- Yes. CVE-2024-40711 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-17, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-40711?
- CVE-2024-40711 affects Veeam Veeam Backup & Replication. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-40711?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-40711 have an EU (EUVD) identifier?
- Yes. CVE-2024-40711 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-38578. It is also flagged as exploited in the EUVD (since 2024-10-17).
- When was CVE-2024-40711 published?
- CVE-2024-40711 was published on 2024-09-07 and last updated on 2026-06-17.
References
- https://www.veeam.com/kb4649
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40711
Affected products (1)
- cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
More vulnerabilities in Veeam Veeam Backup & Replication
- CVE-2026-21708 — Critical (CVSS 9.9): A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
- CVE-2026-21669 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2026-21667 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2026-21666 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2025-48983 — Critical (CVSS 9.9): A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the…
- CVE-2024-29849 — Critical (CVSS 9.8): Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
All CVEs affecting Veeam Veeam Backup & Replication →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →