Veeam released security updates to address vulnerabilities in multiple products. A vulnerability in the Veeam Updater component allows an attacker to use a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.
CERTVU encourages all System administrators to review the following advisory and apply necessary updates. 

The following product's current release is affected by this vulnerability:
•    Veeam Backup for Salesforce — 3.1 and older
 
Previous Releases
The following product's older releases utilize an older Veeam Updater component that was also found to be affected.
As noted below each entry, the most recent version of each of these appliances is not affected. Therefore, if Veeam Backup & Replication is running version 12.3, and the appliances for these applications have been updated, they will be running a current and unaffected version.
•    Veeam Backup for Nutanix AHV — 5.0 | 5.1
Note: Version 6 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.
•    Veeam Backup for AWS — 6a | 7
Note: The most recent version (v8), released on 2024-07-02, is unaffected by this vulnerability.
•    Veeam Backup for Microsoft Azure — 5a | 6
Note: The most recent version (v7), released on 2024-07-02, is unaffected by this vulnerability.
•    Veeam Backup for Google Cloud — 4 | 5
Note: The most recent version (v6), released on 2024-12-03, is unaffected by this vulnerability.
•     Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1
Note: Version 5 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.

An attacker could exploit this vulnerability take control of the affected system and launch a man-in-the-middle attack to execute arbitrary code on the affected appliance server with root-level permissions.

Administrators are recommended to review the below and follow instructions as per the Veeam advisory guides. 
Veeam Backup for Salesforce
The vulnerability was resolved in Veeam Updater component version 7.9.0.1124.
Check for updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Veeam Backup for Nutanix AHV
Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Nutanix AHV appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1125.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Veeam Backup for AWS
Note: If Veeam Backup & Replication 12.3 is installed, and the AWS backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1126.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Veeam Backup for Microsoft Azure
Note: If Veeam Backup & Replication 12.3 is installed, and the Microsoft Azure backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Veeam Backup for Google Cloud
Note: If Veeam Backup & Replication 12.3 is installed, and the Google Cloud backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1127.
All Veeam Updater component versions equal to or higher than this are unaffected by this vulnerability.
Update the backup appliance from within the Veeam Backup & Replication Console.
To check which Veeam Updater component is used by the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance:
1.    Download support logs from the appliance.
2.    Within the collected logs, open the file "<log_bundle>/veeam/veeam-updater/updater.log"
3.    Review the logs to identify the Veeam Updater component version. In most cases, the version will be listed in the lines just after a reference to the service Starting. 
o    For newer unaffected appliance versions (v5 and higher), the entry will appear as "Application           :  Veeam.Updater, Version=".
For example: 
o     Starting log. Severity threshold: Information, LogFilesNumber = 10, LogFileMaxSize = 10 Mbs, ArchivesLimit = 10
o    -----------------------------------------------------------------------------------------------------------------
o    Release version       :  11.0.0.754
o    Application           :  Veeam.Updater, Version=11.0.0.754, Culture=neutral, PublicKeyToken=null
o    For older affected appliance versions (v3, v4, and v4.1), the entry will appear as "Main.main: Version:"
For example: 
o    MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: ============= Starting =============
o    MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: Version: 9.0.0.1087
In this example, the Veeam Updater build is less than the fixed build (9.0.0.1127) and would indicate that the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization backup appliance needs to be updated.