Veeam Backup & Replication < 12.2 — RCE

Unauthenticated remote code execution in Veeam Backup & Replication via unsafe .NET deserialization. Update to VBR 12.2 immediately — exploited by ransomware groups (Akira, Fog) to disable backups before deploying ransomware.

Published Sep 4, 2024 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated attacker achieves code execution on the backup server, which typically has access to backup credentials, protected server credentials, and the ability to modify or delete backup data. Ransomware groups exploited this to delete all backups before encrypting production systems, eliminating recovery options.

How the attack worksNo clicks needed

Veeam Backup & Replication's service endpoint deserialises untrusted .NET objects without authentication. An attacker who can reach TCP port 9401 (Veeam's service port) can send a malicious serialised object that triggers arbitrary code execution on the backup server. Backup servers typically run with highly elevated privileges and have network access to all protected systems.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Backup Administrators

●IT Security

●All Windows Administrators

●Running Veeam Backup & Replication 12.x prior to 12.2.0.334 (build 12.2.0.334)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022

Fixed inVeeam Backup & Replication 12.2 (build 12.2.0.334)

Real-world incidentsWhat we've seen

Sophos X-Ops and watchTowr reported active exploitation of CVE-2024-40711 by Akira and Fog ransomware operators in September 2024. The standard attack pattern: (1) exploit Veeam RCE, (2) extract domain credentials from Veeam's encrypted configuration, (3) delete all backup jobs, (4) deploy ransomware across the domain. CISA added this to KEV in September 2024.

How to patch

Manual remediation steps

⏱ 1 hour including service restart

Check Veeam Version

# Check installed Veeam version:
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" |
  Select-Object CoreVersion, UIVersion

# Or from Veeam console: Help > About

Check Network Exposure

# Check if Veeam service port is accessible from untrusted networks
Get-NetFirewallRule -DisplayName "*Veeam*" | Select-Object DisplayName, Action, Direction

# Check what is listening on port 9401:
Get-NetTCPConnection -LocalPort 9401 -State Listen

Immediate Mitigation (firewall restriction)

# Restrict Veeam service port to trusted management IPs only
New-NetFirewallRule -DisplayName "Restrict Veeam Port 9401" `
  -Direction Inbound -Protocol TCP -LocalPort 9401 `
  -RemoteAddress "10.0.0.0/8","192.168.0.0/16" `
  -Action Allow

# Block from all others (create a deny rule or rely on whitelist-only allow)

Apply the Update

Download Veeam Backup & Replication 12.2 from https://www.veeam.com/kb4627

Stop all active backup and replication jobs

Run the installer as Administrator

Follow the upgrade wizard

Restart the Veeam Backup Service after upgrade

Verify

Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" |
  Select-Object CoreVersion
# Must show 12.2.0.334 or later

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-40711 ↗ NVD