This article documents vulnerabilities discovered in Veeam Backup Enterprise Manager (VBEM), a supplementary application customers may deploy to manage Veeam Backup & Replication (VBR) using a web console.
Deploying VBEM is optional; not all environments will have it installed. As such, if VBEM was not deployed in your environment, that environment would not be impacted by these vulnerabilities.
Tip: You can identify if VBEM is installed by checking for the Veeam Backup Enterprise Manager service or by running the following PowerShell command on the Veeam Backup Server to see if VBR reports that it is managed by a VBEM deployment.
Get-VBRServer | Out-Null [Veeam.Backup.Core.SBackupOptions]::GetEnterpriseServerInfo() | Format-List
This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
Severity: Critical
CVSS v3.1 Score: 9.8AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
Severity: High
CVSS v3.1 Score: 8.8AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
Severity: High
CVSS v3.1 Score: 7.2AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.
Severity: Low
CVSS v3.1 Score: 2.7AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
All vulnerabilities documented in this article were fixed in Veeam Backup Enterprise Manager 12.1.2.172, which is packaged with:
For customers who are unable to upgrade Veeam Backup Enterprise Manager to 12.1.2.172 immediately, consider the following:
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case