Veeam Backup and Replication Remote Code Execution Vulnerability for Domain Users

A remote code execution vulnerability has been identified in Veeam Backup & Replication versions 12.3.0.310 and earlier. This vulnerability allows authenticated domain users to execute arbitrary code on the backup server. The issue arises from a deserialization vulnerability in the .NET Remoting Channel, where Veeam's deserialization mechanism improperly manages a blacklist of disallowed classes. Exploitation is possible by leveraging specific deserialization gadgets available in the Veeam codebase.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the Veeam Backup server with SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by any domain user on a Veeam Backup & Replication server that is joined to the Active Directory domain. The exploitation involves sending a crafted object through the .NET Remoting Channel that exploits the deserialization vulnerability, bypassing the application's blacklist checks.

Remediation

Users are advised to upgrade to Veeam Backup & Replication version 12.3.1 or later.