CVE-2024-40711 arises from the deserialization of untrusted data in the Veeam Backup & Replication software. This vulnerability can be exploited with low-complexity attacks, making it a threat to organizations relying on Veeam’s platform for backup, disaster recovery, and data replication across virtual, physical, and cloud environments. Once exploited, the flaw enables attackers to remotely execute arbitrary code by triggering the vulnerable Veeam.Backup.MountService.exe process on URI /trigger over port 8000, which spawns system commands via net.exe.
Researchers observed that attackers are combining the CVE-2024-40711 exploit with previously compromised credentials to create a local account named "point." This account is added to the Administrators and Remote Desktop Users groups, granting attackers elevated privileges. During these attacks, the ransomware groups also used compromised VPN gateways, many of which lacked multifactor authentication (MFA) and were running outdated or unsupported software.
Researchers identified several ransomware deployments utilizing this exploit. In one instance, the Fog ransomware was deployed on an unprotected Hyper-V server, and data was exfiltrated using the rclone utility. Other attacks featured Akira ransomware.