Veeam Agent for Microsoft Windows Vulnerability
(CVE-2024-29853)
Please keep in mind that Veeam Agent for Microsoft Windows (VAW) has two primary operation modes, either standalone or managed. When VAW is managed by Veeam Backup & Replication (VBR) or Veeam Service Provider Console (VSPC), the VAW deployment must be upgraded by the server that manages it. Directly upgrading a VAW deployment that VBR manages will likely result in a compatibility issue if the deployed VAW version is higher than the VBR software expects.
- If VAW is operating in purely Standalone operation mode (not targetting a VBR or Cloud Connect repository), it can be upgraded directly on the machine where it is installed.
- If VAW is operating in Standalone operation mode but targets a VBR or Cloud Connect repository, the destination VBR or Cloud Connect deployment must be upgraded to a version that supports the new VAW version before upgrading VAW directly.
- If a VBR server manages VAW, you must upgrade VBR first, then upgrade the managed VAW deployments.
- If a VSPC server manages VAW, the VAW deployment must be upgraded using the VSPC console.
Issue Details
CVE-2024-29853
This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.
Severity: High
CVSS v3.1 Score: 7.2AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Solution
The vulnerability documented in this article was fixed starting in the following build:
This build of Veeam Agent for Microsoft Windows was included with Veeam Backup & Replication 12.1.2.172.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.