Attacker Value
(1 user assessed)
(1 user assessed)
User Interaction
Privileges Required
Attack Vector

CVE-2020-10915 Preauth RCE in VEEAM One Agent

Disclosure Date: April 22, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.


This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.

Add Assessment

Technical Analysis

Veeam is a popular provider of enterprise backup solutions. The Veeam ONE Agent, which also runs on the ONE solution’s server, is vulnerable to pre-auth RCE through .NET deserialization.

This would be a valuable target if found, since backups can often contain sensitive information, not to mention the possibility of “poisoning” them for persistence. Additionally, since this is RCE in the agent, which runs on both the server and its managed hosts, there is potential for widespread exploitation, at least on an internal network, possibly even corporate laptops out in the world – but I don’t want to speculate too much. :–)

I couldn’t find any analyses or PoCs, so I did a little patch analysis and came up with an exploit for this particular CVE. The patches are shown below.

CVE-2020-10914 / ZDI-20-545

PerformHandshake() patch

CVE-2020-10915 / ZDI-20-546

HandshakeResult() patch

Here’s the other CVE on AKB: I haven’t done anything with it yet, but I can hit the code path. I targeted HandshakeResult() because it seemed more straightforward to trigger a failure in the handshake.

General Information




  • One Agent
Technical Analysis