Low-Privileged User Can Exploit Insecure Deserialization to Delete Any File with Service Account Privileges
CVE-2024-42455

7.1HIGH

Key Information:

Vendor: Veeam
Status: Backup & Replication
Vendor: CVE Published:; 4 December 2024

Summary

A vulnerability within Veeam Backup & Replication enables low-privileged users to connect to remoting services and exploit weaknesses in the deserialization process. An attacker can send a serialized temporary file collection that is insufficiently validated, allowing them to delete any file on the system with the privileges of the service account. This flaw highlights the critical need for robust validation mechanisms during the deserialization process to prevent unauthorized actions on sensitive files and data.

Affected Version(s)

Backup & Replication 12.2

References

https://www.veeam.com/kb4693

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2024