CVE-2024-40711

CVE-2024-40711 is a critical-severity vulnerability in Veeam Veeam Backup & Replication with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-17). The underlying weakness is classified as CWE-502.

Key facts

Description

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

CVE-2024-40711: Veeam Backup & Replication Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-40711
Product Veeam Backup & Replication
CVSS v3 9.8 (Critical)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-502: Deserialization of Untrusted Data
EPSS 0.88193 (99.75th percentile)
KEV Listed (2024-10-17)
EU Exploited Yes (since 2024-10-17)

Summary

CVE-2024-40711 is a critical deserialization-of-untrusted-data vulnerability in Veeam Backup & Replication. An unauthenticated remote attacker can send a malicious serialized payload to the application, which is then deserialized without adequate validation, resulting in remote code execution (RCE) on the backup server.

Background

Veeam Backup & Replication is a widely deployed enterprise backup and disaster-recovery platform. In September 2024, a critical vulnerability was publicly disclosed in the product. The flaw resides in the way the application handles serialized data from remote, unauthenticated sources, a class of weakness that has historically affected many Java and .NET applications.

Root Cause — CWE-502

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The application accepts and deserializes attacker-controlled input through a network-facing endpoint. Because the deserialization routine instantiates arbitrary object types and can trigger side effects (such as method invocations or resource initialization), a carefully crafted payload can chain existing gadget classes to achieve arbitrary code execution on the underlying operating system.

Impact

The National Vulnerability Database (NVD) assigns this flaw a CVSS v3.1 score of 9.8 (Critical).

Metric Value
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privileges Required (PR) None
User Interaction (UI) None
Scope (S) Unchanged
Confidentiality (C) High
Integrity (I) High
Availability (A) High

The combination of Network reachability, Low attack complexity, and No privileges or user interaction means that any internet-exposed or internally reachable Veeam server is at high risk. Successful exploitation grants the attacker full control over the backup infrastructure, with direct impact on confidentiality, integrity, and availability.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the attack flow from a defender's viewpoint. No weaponized exploit code is provided.

  1. Reconnaissance — The attacker identifies a Veeam Backup & Replication instance (commonly on TCP ports 9392 or 9401).
  2. Payload Crafting — The attacker constructs a serialized object payload designed to exploit the deserialization sink. The payload leverages known gadget chains available in the application's dependency tree.
  3. Delivery — The payload is transmitted to a network-facing endpoint that accepts serialized input (e.g., a remoting or management channel).
  4. Deserialization Trigger — The server deserializes the payload. During object reconstruction, a chain of method calls is executed, culminating in operating-system command execution.
  5. Post-Exploitation — With code execution achieved, the attacker can pivot laterally, exfiltrate backup data, deploy ransomware, or maintain persistence.

Affected and Patched Versions

The vulnerability affects Veeam Backup & Replication. Specific version ranges are not available in the disclosed metadata. Administrators should consult Veeam KB4649 for the authoritative list of affected and patched releases.

Remediation

  1. Upgrade — Apply the patched version as specified in Veeam KB4649 as soon as possible.
  2. Network Segmentation — Restrict network access to Veeam management and remoting ports to authorized administrative hosts only. Do not expose these interfaces to the public internet.
  3. Compensating Controls
    • Deploy a Web Application Firewall (WAF) or intrusion-prevention system (IPS) with signatures for anomalous serialized object traffic.
    • Enforce VPN or jump-host access for remote administration.
    • Maintain offline, immutable backups to recover in the event of compromise.

Detection

  • Network — Monitor for unexpected serialized-object traffic (e.g., Java serialized streams, .NET BinaryFormatter, or other known serialization formats) directed at Veeam endpoints.
  • Endpoint — Alert on anomalous process spawning (e.g., cmd.exe, powershell.exe, or unexpected child processes) from Veeam service accounts.
  • Authentication — Review logs for unauthorized access attempts to Veeam's remoting or REST APIs from unexpected source IPs.

Assessment

With an EPSS score of 0.88193 (99.75th percentile) and inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on 2024-10-17, this vulnerability is being actively exploited in the wild. The EU also lists it as exploited since the same date. Organizations running unpatched instances should treat this as an immediate, high-priority incident.

Key lessons:

  1. Deserialization of untrusted data remains one of the highest-impact vulnerability classes in enterprise software.
  2. Backup infrastructure is a prime target for ransomware operators; strict network isolation and rapid patching are essential.

References

Frequently asked questions

What is CVE-2024-40711?
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
How severe is CVE-2024-40711?
CVE-2024-40711 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-40711 being actively exploited?
Yes. CVE-2024-40711 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-17, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-40711?
CVE-2024-40711 affects Veeam Veeam Backup & Replication. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-40711?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-40711 have an EU (EUVD) identifier?
Yes. CVE-2024-40711 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-38578. It is also flagged as exploited in the EUVD (since 2024-10-17).
When was CVE-2024-40711 published?
CVE-2024-40711 was published on 2024-09-07 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Veeam Veeam Backup & Replication

All CVEs affecting Veeam Veeam Backup & Replication →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →