Ransomware operators are exploiting a critical-severity vulnerability in Veeam Backup & Replication to create rogue accounts and deploy malware, Sophos warns.

The issue, tracked as CVE-2024-40711 (CVSS score of 9.8), can be exploited remotely, without authentication, for arbitrary code execution, and was patched in early September with the release of Veeam Backup & Replication version 12.2 (build 12.2.0.334).

While neither Veeam, nor Code White, which was credited with reporting the bug, have shared technical details, attack surface management firm WatchTowr performed an in-depth analysis of the patches to better understand the vulnerability.

CVE-2024-40711 consisted of two issues: a deserialization flaw and an improper authorization bug. Veeam fixed the improper authorization in build 12.1.2.172 of the product, which prevented anonymous exploitation, and included patches for the deserialization bug in build 12.2.0.334, WatchTowr revealed.

Given the severity of the security defect, the security firm refrained from releasing a proof-of-concept (PoC) exploit, noting “we’re a little worried by just how valuable this bug is to malware operators.” Sophos’ fresh warning validates those fears.

“Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware,” Sophos noted in a Thursday post on Mastodon.

The cybersecurity firm says it has observed attackers deploying the Fog and Akira ransomware and that indicators in four incidents overlap with previously observed attacks attributed to these ransomware groups.

According to Sophos, the threat actors used compromised VPN gateways that lacked multi-factor authentication protections for initial access. In some cases, the VPNs were running unsupported software iterations.

“Each time, the attackers exploited Veeam on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, ‘point’, adding it to the local Administrators and Remote Desktop Users groups,” Sophos said.

Following the successful creation of the account, the Fog ransomware operators deployed malware to an unprotected Hyper-V server, and then exfiltrated data using the Rclone utility.

Related: Okta Tells Users to Check for Potential Exploitation of Newly Patched Vulnerability

Related: Apple Patches Vision Pro Vulnerability to Prevent GAZEploit Attacks

Related: LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

Related: The Imperative for Modern Security: Risk-Based Vulnerability Management