CVE-2024-29855 Overview
CVE-2024-29855 is a critical authentication bypass vulnerability affecting Veeam Recovery Orchestrator. The vulnerability stems from a hard-coded JWT (JSON Web Token) secret embedded in the application, which allows unauthenticated attackers to forge valid authentication tokens and gain unauthorized access to the system. This weakness (CWE-798: Use of Hard-coded Credentials) represents a severe security flaw that can lead to complete compromise of the affected disaster recovery orchestration platform.
Critical Impact
Attackers exploiting this vulnerability can bypass authentication mechanisms entirely, potentially gaining administrative access to disaster recovery infrastructure and compromising backup operations, data integrity, and business continuity systems.
Affected Products
- Veeam Recovery Orchestrator (affected versions prior to patch release)
Discovery Timeline
- 2024-06-11 - CVE-2024-29855 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2024-29855
Vulnerability Analysis
The vulnerability exists due to Veeam Recovery Orchestrator utilizing a hard-coded JWT secret for token generation and validation. JWT tokens are commonly used for stateless authentication in web applications, where the server signs tokens using a secret key to verify their authenticity. When this secret is hard-coded and identical across all installations, any attacker who discovers the secret can generate valid authentication tokens without requiring legitimate credentials.
The network-accessible nature of this vulnerability means that attackers can exploit it remotely without any prior authentication or user interaction. However, the exploitation complexity is higher as attackers must first discover the hard-coded secret value.
Root Cause
The root cause of CVE-2024-29855 is the use of hard-coded credentials (CWE-798) within the Veeam Recovery Orchestrator codebase. Instead of generating unique, installation-specific secrets or using secure key management practices, the application ships with a static JWT secret. This violates fundamental secure development principles where cryptographic secrets should be unique per installation and securely managed.
Attack Vector
The attack vector for this vulnerability is network-based, allowing remote exploitation. An attacker who identifies the hard-coded JWT secret can craft authentication tokens that the Veeam Recovery Orchestrator server will accept as valid. This enables the attacker to impersonate any user, including administrative accounts, without knowledge of actual user credentials. The changed scope (S:C in CVSS vector) indicates that successful exploitation can impact resources beyond the vulnerable component itself, potentially affecting the entire backup and disaster recovery infrastructure managed by the Orchestrator.
The attack flow typically involves:
- Extracting or identifying the hard-coded JWT secret from the application
- Crafting a JWT token with desired claims (e.g., administrative privileges)
- Signing the token with the discovered secret
- Submitting requests to the Veeam Recovery Orchestrator API with the forged token
- Gaining unauthorized access to administrative functions
Detection Methods for CVE-2024-29855
Indicators of Compromise
- Unexpected authentication events without corresponding login attempts in access logs
- JWT tokens with unusual or administrative claims appearing from unrecognized source IPs
- Administrative API calls from external or unexpected network segments
- Anomalous session activity patterns that bypass normal authentication workflows
Detection Strategies
- Monitor authentication logs for successful logins that lack corresponding credential validation events
- Implement network-based detection for suspicious API requests to Veeam Recovery Orchestrator endpoints
- Deploy behavioral analysis to identify unusual administrative actions or configuration changes
- Review audit logs for privilege escalation patterns or unauthorized disaster recovery operations
Monitoring Recommendations
- Enable comprehensive logging on Veeam Recovery Orchestrator instances and forward to SIEM
- Establish baseline behavior for administrative activities and alert on deviations
- Monitor network traffic to Veeam Recovery Orchestrator for connections from unauthorized sources
- Implement alerting for any changes to disaster recovery configurations or backup policies
How to Mitigate CVE-2024-29855
Immediate Actions Required
- Apply the security patch from Veeam immediately following the guidance in KB4585
- Restrict network access to Veeam Recovery Orchestrator to trusted management networks only
- Review authentication logs for any signs of unauthorized access prior to patching
- Audit administrative user accounts and revoke any suspicious sessions
Patch Information
Veeam has released a security update to address this vulnerability. Administrators should consult the official Veeam Knowledge Base Article KB4585 for detailed patching instructions and affected version information. The patch replaces the hard-coded JWT secret with a properly randomized, installation-specific secret to prevent token forgery attacks.
Workarounds
- Implement network segmentation to limit access to Veeam Recovery Orchestrator from untrusted networks
- Deploy a web application firewall (WAF) or reverse proxy to add an additional authentication layer
- Enable IP allowlisting to restrict API access to known administrative endpoints
- Consider temporarily disabling external access to the Orchestrator until patching is complete
# Network restriction example - limit access to management subnet only
# This should be adapted to your specific firewall/network configuration
# Example iptables rule to restrict access to Veeam Recovery Orchestrator port
iptables -A INPUT -p tcp --dport 9898 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9898 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
