Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content management solution.

The vulnerability, rated with a CVSS v3.1 Base Score of 9.8 (Critical), could allow attackers to execute arbitrary code on affected servers.

This exploit leverages vulnerabilities inherent to the .NET Remoting service used by Enterprise Vault.

The Nature of the Vulnerability

The issue stems from the .NET Remoting TCP ports that Enterprise Vault services utilize during start-up.

These ports, which are dynamically allocated, are susceptible to exploitation. A malicious attacker can exploit these TCP remoting services as well as the local Inter-Process Communication (IPC) services on the Enterprise Vault server by sending specially crafted data.

Fortunately, exploiting this vulnerability is not straightforward and requires several preconditions to be met, including:

1. RDP Access: The attacker must have Remote Desktop Protocol (RDP) access to a virtual machine within the network. This requires the attacker to be part of the “Remote Desktop Users” group.
2. Network Knowledge: The attacker must know the specific IP address of the Enterprise Vault server, the process IDs (which are randomly assigned), the dynamic TCP ports, and the remoteable object URIs.
3. Improper Firewall Configuration: The firewall on the Enterprise Vault server must be misconfigured or disabled.

If these conditions are fulfilled, an attacker could execute remote code on the server, potentially compromising sensitive data and causing significant damage.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Affected Versions

This vulnerability impacts all currently supported versions of Enterprise Vault, including:

• Versions 15.1, 15.0, 15.0.1, 15.0.2
• Versions 14.5 through 14.0, as well as all interim updates (e.g., 14.5.1, 14.4.2, etc.)

Earlier unsupported versions may also be affected, heightening the urgency for organizations relying on legacy systems to review their security posture.

Mitigation and Recommendations

While Veritas has announced plans to remediate this vulnerability in Enterprise Vault version 15.2, expected to be generally available in the third quarter of 2025, immediate mitigation steps are advised to protect against potential exploits. Organizations should:

1. Restrict Access: Limit access to the Enterprise Vault server to authorized Enterprise Vault administrators only, as outlined in the Enterprise Vault Administrator’s Guide.
2. Screen RDP Users: Ensure that only trusted individuals are part of the “Remote Desktop Users” group and have RDP access to the server.
3. Configure Firewalls: Enable and properly configure the Enterprise Vault server’s firewall settings according to the Administrator’s Guide.
4. Apply Windows Updates: Regularly install the latest Windows security updates to minimize exposure to known vulnerabilities.

Veritas has acknowledged the vulnerability and credited Sina Kheirkhah, working with Trend Micro’s Zero Day Initiative (ZDI), for responsibly disclosing it.

The company encourages affected customers to reach out to Veritas Technical Support for any questions or assistance related to this issue.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.