Veeam warns of critical Backup Enterprise Manager auth bypass bug

Veeam released patches for a critical Veeam Backup Enterprise Manager authentication bypass (CVE-2024-29849, CVSS 9.8) that permits unauthenticated account login, plus two other high-severity VBEM vulnerabilities (CVE-2024-29850 and CVE-2024-29851). The vendor advises upgrading to VBEM 12.1.2.172 or mitigating by stopping/disabling VeeamEnterpriseManagerSvc and VeeamRESTSvc or uninstalling VBEM; the report also highlights that previous Veeam vulnerabilities have been abused in ransomware campaigns affecting many organizations.