Backup, recovery, and data protection firm Veeam this week announced patches for multiple vulnerabilities in its enterprise products, including critical-severity bugs that could lead to remote code execution (RCE).

The company resolved six flaws in its Backup & Replication product, including a critical-severity issue that could be exploited remotely, without authentication, to execute arbitrary code. Tracked as CVE-2024-40711, the security defect has a CVSS score of 9.8.

Veeam also announced patches for CVE-2024-40710 (CVSS score of 8.8), which refers to multiple related high-severity vulnerabilities that could lead to RCE and sensitive information disclosure.

The remaining four high-severity flaws could lead to modification of multi-factor authentication (MFA) settings, file removal, the interception of sensitive credentials, and local privilege escalation.

All security defects impact Backup & Replication version 12.1.2.172 and earlier 12 builds and were addressed with the release of version 12.2 (build 12.2.0.334) of the solution.

This week, the company also announced that Veeam ONE version 12.2 (build 12.2.0.4093) addresses six vulnerabilities. Two are critical-severity flaws that could allow attackers to execute code remotely on the systems running Veeam ONE (CVE-2024-42024) and to access the NTLM hash of the Reporter Service account (CVE-2024-42019).

The remaining four issues, all ‘high severity’, could allow attackers to execute code with administrator privileges (authentication is required), access saved credentials (possession of an access token is required), modify product configuration files, and to perform HTML injection.

Veeam also addressed four vulnerabilities in Service Provider Console, including two critical-severity bugs that could allow an attacker with low-privileges to access the NTLM hash of service account on the VSPC server (CVE-2024-38650) and to upload arbitrary files to the server and achieve RCE (CVE-2024-39714).

The remaining two flaws, both ‘high severity’, could allow low-privileged attackers to execute code remotely on the VSPC server. All four issues were resolved in Veeam Service Provider Console version 8.1 (build 8.1.0.21377).

High-severity bugs were also addressed with the release of Veeam Agent for Linux version 6.2 (build 6.2.0.101), and Veeam Backup for Nutanix AHV Plug-In version 12.6.0.632, and Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In version 12.5.0.299.

Veeam makes no mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their installations as soon as possible, as threat actors are known to have exploited vulnerable Veeam products in attacks.

Related: Critical Veeam Vulnerability Leads to Authentication Bypass

Related: AtlasVPN to Patch IP Leak Vulnerability After Public Disclosure

Related: IBM Cloud Vulnerability Exposed Users to Supply Chain Attacks

Related: Vulnerability in Acer Laptops Allows Attackers to Disable Secure Boot