Recovery Orchestrator
CVE-2024-29855
CRITICAL
Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (hackerone) · only source for this CVE.
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator
AnalysisAI
Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator Affected products include: Veeam Recovery Orchestrator.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
More in Recovery Orchestrator
View allVulnerability CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to a
Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retri
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today