Veeam Backup Enterprise Manager CVE-2024-29849 is a CVSS 9.8 authentication-bypass vulnerability that Veeam disclosed on May 21, 2024. The flaw allows an unauthenticated attacker to log in to the Enterprise Manager web interface as any user, including administrative accounts, without knowing the password. Enterprise Manager is the multi-tenant web portal that aggregates management of multiple Veeam Backup & Replication servers, so a bypass here hands an attacker the keys to the entire backup estate. Researcher Sina Kheirkhah of Summoning Team is credited with the discovery, and a public proof-of-concept followed the advisory within weeks. The vulnerability is distinct from the related CVE-2024-40711 that hit the backup server later in the same product cycle, and organizations running Enterprise Manager needed both patches.
What is the technical root cause of CVE-2024-29849?
The technical root cause of CVE-2024-29849 is a flaw in Enterprise Manager's handling of the SSO token-exchange endpoint, documented by Summoning Team after coordinated disclosure. Enterprise Manager exposes a token-validation flow intended for single-sign-on integration: an external identity provider issues a signed assertion, Enterprise Manager validates it, and the user is logged in with the claimed identity. The vulnerability is that the validation path trusts a JSON field that was supposed to carry a verified subject identifier but in practice was populated directly from a request body that the attacker controls.
The practical effect is that an attacker who can reach the SSO endpoint can submit a token that claims to be any user, and Enterprise Manager honors the claim without cryptographically verifying the issuing identity provider. There is no signature check that would reject a forged assertion, which is the essence of an authentication-bypass class vulnerability. Veeam's patch rebuilds the SSO path to require a valid signature against a configured trust anchor and to reject payloads that lack one.
Summoning Team's writeup also notes that the flaw is reachable on default installations because the SSO endpoint is registered even when no identity provider is configured, so deployments that do not use SSO at all are still exposed.
Which Veeam versions are affected?
Affected versions are Veeam Backup Enterprise Manager 5.0, 6.0, 6.5, 7.0, 8.0, 8.1, 9.0, 9.5, 10, 11, and 12 through 12.1.2.172. The patched version is 12.1.2.172 with the hotfix, which Veeam packaged into the 12.1.2 update released on May 21, 2024. All prior Enterprise Manager releases that receive security updates were covered by the advisory; older out-of-support versions are implicitly exposed without a fixed upgrade path other than moving to 12.1.2.
Enterprise Manager is optional in Veeam deployments, and many small estates do not install it. Mid-size and enterprise deployments almost always do, because it provides:
- Centralized self-service restore for end users
- Cross-server reporting across multiple Backup & Replication hosts
- Billing and usage reports for managed-service scenarios
- Delegated administration for tenant operators
Managed service providers are an especially important cohort because Enterprise Manager is the primary multi-tenant management plane in Veeam's service-provider model.
How does the exploit chain work end-to-end?
The exploit chain works by sending a single HTTP POST to the Enterprise Manager SSO endpoint with a crafted JSON body that claims to represent an administrator account. As reported by Summoning Team in their disclosure writeup, the endpoint returns a session cookie that Enterprise Manager then treats as authenticated for the claimed user. Once logged in, the attacker has full administrative access to Enterprise Manager's UI and API.
Post-authentication capabilities that matter:
- Enumerate every Backup & Replication server registered to the Enterprise Manager
- Trigger restore operations that mount backup data for the attacker to retrieve
- Configure new backup targets (including attacker-controlled endpoints) that will receive future backup data
- Extract credentials that Enterprise Manager uses to reach its managed backup servers
- Pivot into the underlying Backup & Replication servers using the trusted management relationship
Public PoCs demonstrated the SSO bypass and the subsequent administrative capability separately. An attacker chaining them together gains not only read access to backup data (typically the entire virtualized estate) but also the ability to corrupt or destroy backups before any ransomware encryption step.
What public IoCs did researchers and vendors publish?
Public IoCs published by Veeam and by IR firms after disclosure include:
- HTTP POST requests to the Enterprise Manager SSO endpoint (paths documented in Summoning Team's writeup) from source IPs that do not belong to the organization's SSO provider
- Enterprise Manager audit logs showing logins for users without a corresponding authentication event on the identity provider
- New REST API tokens or new delegated-admin roles created shortly after an anomalous login
- Unexpected restore-job initiations targeting external storage endpoints
- Configuration changes to backup targets that redirect jobs to non-standard destinations
Network-layer detection is straightforward if the Enterprise Manager is published on an HTTPS endpoint that a WAF or load balancer can inspect. Many deployments expose Enterprise Manager directly to internal users, which means the detection burden falls on host logs and the application's own audit trail.
What exploitation requirements must be met?
The exploitation requirements are network reachability to the Enterprise Manager HTTPS endpoint and no credentials. That is the minimum possible bar for a critical vulnerability and is why the advisory scored 9.8. Unlike some auth-bypass bugs, CVE-2024-29849 does not require a specific SSO configuration to be enabled; the endpoint is registered in default installations.
Conditions that affect exploit reliability:
- Enterprise Manager behind a reverse proxy that enforces mTLS: eliminates external exploitability and reduces internal exposure
- Enterprise Manager on its dedicated management VLAN: raises the bar to initial lateral movement
- Web application firewall with custom signatures for the SSO endpoint: provides virtual patching
- Default port (9443) exposed to the internet: fully exploitable
What exploitation does not require:
- Knowledge of valid usernames (any username string is accepted during the bypass)
- A configured identity provider
- Prior compromise of the organization
- Authentication of any kind at any layer below the Enterprise Manager
What is the patch and hardening plan?
The patch plan is to upgrade Enterprise Manager to 12.1.2.172 or later and, as a compensating control, to restrict network access to the management interface. Upgrade before restoring normal credential hygiene because any compromise that predates the patch may have established persistence through legitimate-looking delegated-admin accounts.
Remediation sequence:
- Upgrade Enterprise Manager to the fixed build across all instances (Veeam ships a dedicated Enterprise Manager installer that is distinct from the Backup & Replication installer)
- Audit the Enterprise Manager user and role list for unfamiliar accounts, especially delegated admins
- Rotate every credential stored in Enterprise Manager, which includes credentials used to reach each managed Backup & Replication host
- Review recent restore operations for data that may have been exfiltrated through a restore flow
- Review backup-target configuration for unauthorized destinations added during the exposure window
Hardening that pays dividends beyond this CVE:
- Place Enterprise Manager behind an authenticating reverse proxy with mTLS or an SSO-aware gateway
- Isolate Enterprise Manager into a management VLAN with tight source-IP allowlists
- Enable MFA for every Enterprise Manager user (the product supports it but it is off by default for legacy deployments)
- Integrate Enterprise Manager audit logs with the SIEM and alert on administrative actions outside business hours
Veeam's post-disclosure knowledge-base articles also recommend replacing Enterprise Manager's default TLS certificate with one issued from an internal CA and enforcing certificate pinning on any automation that reaches the interface.
What are the supply chain implications?
The supply chain implications are concentrated in the managed-service-provider segment because Enterprise Manager is the MSP control plane for multi-tenant Veeam deployments. An MSP that operates Enterprise Manager for dozens or hundreds of customers, if compromised through this CVE, effectively hands every customer's backup environment to the attacker simultaneously. Veeam's service-provider customers were singled out in several IR writeups during the 2024 wave of backup-infrastructure targeting, and while the specific CVE exploited varied, the pattern is the same: critical auth bypasses in multi-tenant management planes have outsized supply-chain impact.
Questions to push to MSPs operating Veeam on your behalf:
- Is Enterprise Manager patched to the fixed build across all tenant-facing instances
- Is Enterprise Manager segregated per tenant or shared across tenants
- What audit evidence will the MSP provide for the exposure window
Customers whose backup estate is managed through an external Enterprise Manager should treat their backup data as potentially compromised during the period between the vulnerability existing upstream (the full release history back to 5.0) and the MSP confirming patch completion.
How Safeguard.sh Helps
Safeguard.sh inventories Veeam Enterprise Manager deployments through 100-level dependency depth analysis that identifies every Enterprise Manager host, the specific build installed, and the network topology that exposes it. Reachability analysis cuts 60 to 80 percent of findings by confirming which Enterprise Manager instances are actually reachable from untrusted networks versus those already segmented, so patch priority reflects real exploit paths. Griffin AI autonomously proposes network segmentation policy for management planes, drafts reverse-proxy configuration for MFA-backed access, and generates patch orchestration for Enterprise Manager alongside the related Backup & Replication updates. Container self-healing rebuilds containerized management consoles against patched bases without manual intervention, and SBOM ingest captures MSP-operated Enterprise Manager instances that affect your risk through the third-party risk management workflow.