Yashar Shahinzadeh

**Name of the Vulnerable Software and Affected Versions** Veeam ONE Agent (affected versions not specified) **Description** The issue concerns a flaw in access control within Veeam ONE Agent. Successful exploitation allows a remote attacker possessing the service account credentials for Veeam ONE Agent to execute code on the system where the agent is installed. The vulnerability allows for remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Veeam Backup Enterprise Manager (affected versions not specified) Description: The issue allows high-privileged users to steal the NTLM hash of the Enterprise manager service account. This is related to insufficient access control in Veeam Backup & Replication, which can be exploited by a remote attacker to gain unauthorized access to the NTLM hash. The exploitation is possible if the service account is not the default Local System account. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Veeam Backup Enterprise Manager (affected versions not specified) **Description** The issue allows high-privileged users to read backup session logs. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Veeam Backup Enterprise Manager (affected versions not specified) **Description** Veeam Backup Enterprise Manager has a flaw that allows unauthenticated users to log in as any user to the enterprise manager web interface. The vulnerability resides in the `Veeam.Backup.Enterprise.RestAPIService.exe` service, which listens on TCP port 9398 and functions as a REST API server. Exploitation involves sending a specially crafted VMware Single Sign-On (SSO) token via the API. The token includes an authentication request impersonating an administrator and a URL for the SSO service, which Veeam does not validate. The decoded token is interpreted as XML and verified through a SOAP request to a URL controlled by the attacker. A server controlled by the attacker responds positively to verification requests, allowing the attacker to gain administrative access. The vulnerability allows an attacker to bypass authentication and access the Backup Enterprise Manager. A proof-of-concept (PoC) exploit is publicly available. The vulnerability is tracked as CVE-2024-29849 and has a CVSS score of 9.8. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Veeam Agent for Microsoft Windows (affected versions not specified) **Description** The issue is related to weaknesses in the authentication procedure of Veeam Agent for Microsoft Windows, allowing for local privilege escalation. This can enable an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Veeam Backup Enterprise Manager (affected versions not specified) **Description** The issue allows account takeover via NTLM relay. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Machform version 2 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `element 2` parameter in the view.php file. **Recommendations** For Machform version 2, avoid using the `element 2` parameter in the view.php file until a fix is available. Consider restricting access to the view.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Machform version 2 **Description** The issue allows remote attackers to execute arbitrary PHP code by uploading a PHP file to the upload form's directory in data/, then accessing it via a direct request. This is due to an unrestricted file upload vulnerability in view.php. **Recommendations** For Machform version 2, consider restricting file uploads to only allowed file types to prevent the execution of arbitrary PHP code. As a temporary workaround, restrict access to the upload form's directory in data/ to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Machform version 2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `element 2` parameter in the view.php file. **Recommendations** For Machform version 2, avoid using the `element 2` parameter in the view.php file until the issue is resolved. As a temporary workaround, consider restricting access to the view.php file to minimize the risk of exploitation.