CVE-2024-22022 is a high-severity vulnerability affecting Veeam Recovery Orchestrator versions 5 and 6. The flaw allows a user with a low-privileged role within the Veeam Recovery Orchestrator environment to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service. This vulnerability falls under CWE-200, indicating an information exposure issue. The NTLM hash is a sensitive credential that, if obtained by an attacker, can be used to perform pass-the-hash attacks or offline cracking attempts to escalate privileges or move laterally within a network. The vulnerability requires network access (AV:N), low attack complexity (AC:L), and low privileges (PR:L) but does not require user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits are currently known in the wild, the vulnerability presents a significant risk due to the sensitivity of the leaked credential and the potential for privilege escalation and further compromise within enterprise environments that rely on Veeam Recovery Orchestrator for disaster recovery orchestration and automation.

For European organizations, this vulnerability poses a serious threat to the security of disaster recovery and backup orchestration processes. Veeam Recovery Orchestrator is widely used in enterprise environments to automate and manage recovery workflows, making it a critical component of business continuity strategies. Exposure of the NTLM hash of the service account could allow attackers to escalate privileges and gain unauthorized access to backup and recovery infrastructure, potentially leading to data breaches, ransomware attacks, or disruption of recovery operations. This could severely impact organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where data integrity and availability are paramount. Additionally, the ability to move laterally within networks using compromised credentials increases the risk of widespread compromise across interconnected systems. The high CVSS score (8.8) reflects the potential for significant operational and reputational damage if exploited.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Apply vendor patches or updates as soon as they become available, even though no patch links are currently provided, monitoring Veeam’s official channels for updates. 2) Restrict access to Veeam Recovery Orchestrator to only trusted administrators and minimize the assignment of low-privileged roles to users who do not require them. 3) Implement network segmentation and strict access controls around the Veeam Recovery Orchestrator server to limit exposure to potentially malicious users. 4) Monitor logs and audit trails for unusual access patterns or attempts to access sensitive credential information. 5) Employ multi-factor authentication (MFA) for accounts with access to Veeam systems to reduce the risk of credential misuse. 6) Regularly rotate service account credentials and consider using managed service accounts or credential vaulting solutions to reduce the risk of credential exposure. 7) Conduct internal security assessments and penetration tests focused on backup and recovery infrastructure to identify and remediate similar privilege escalation risks.