{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-40711","assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","state":"PUBLISHED","assignerShortName":"hackerone","dateReserved":"2024-07-09T01:04:07.425Z","datePublished":"2024-09-07T16:11:22.213Z","dateUpdated":"2025-10-21T22:55:45.810Z"},"containers":{"cna":{"descriptions":[{"lang":"en","value":"A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE)."}],"affected":[{"defaultStatus":"unaffected","vendor":"Veeam","product":"Backup and  Recovery","versions":[{"version":"12.1.2","status":"affected","lessThanOrEqual":"12.1.2","versionType":"semver"}]}],"references":[{"url":"https://www.veeam.com/kb4649"}],"metrics":[{"cvssV3_0":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"providerMetadata":{"orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone","dateUpdated":"2024-09-07T16:11:22.213Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-40711","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-10-29T21:45:53.497382Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2024-10-17","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40711"}}}],"affected":[{"cpes":["cpe:2.3:a:veeam:backup_\\&_replication:*:*:*:*:*:*:*:*"],"vendor":"veeam","product":"backup_\\&_replication","versions":[{"status":"affected","version":"0","versionType":"custom","lessThanOrEqual":"12.2.0.334"}],"defaultStatus":"unaffected"}],"references":[{"url":"https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40711","tags":["government-resource"]}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-502","description":"CWE-502 Deserialization of Untrusted Data"}]}],"timeline":[{"time":"2024-10-17T00:00:00.000Z","lang":"en","value":"CVE-2024-40711 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T22:55:45.810Z"}}]}}