Triage Logo
Triage Security
Request Beta Access
Back to all articles
Signal Shorts Vulnerability ManagementBrowser SecurityInfrastructure Security

Chrome Zero-Day and Critical Veeam Vulnerability require immediate patching

New findings confirm active exploitation of a Chrome zero-day alongside a critical RCE vulnerability in Veeam Backup & Replication. This update outlines the technical nature of these risks and provides specific guidance for securing browser endpoints and backup infrastructure.

Triage Security Media Team
3 min read

The security field requires immediate attention regarding two distinct but significant findings: a confirmed zero-day vulnerability in Google Chrome and a critical flaw in Veeam Backup & Replication. Google has confirmed that the Chrome vulnerability is currently active in the wild. This discovery, the eighth of its kind this year, indicates a continued focus by threat actors on browser-based entry points. Simultaneously, the disclosure of a critical flaw in Veeam suggests a parallel risk to the backup systems organizations rely on for recovery.

These developments present a dual challenge for enterprise security. The Chrome zero-day (CVE-2024-5274) represents a risk to the perimeter and user endpoints. In contrast, the Veeam vulnerability (CVE-2024-29849) involves unauthenticated remote code execution (RCE), threatening the integrity of data recovery processes. When unauthenticated RCE affects backup infrastructure, the risk extends beyond data loss; unauthorized parties could obtain high-level access to the network, move laterally, and inhibit system restoration.

In parallel with these software vulnerabilities, observations indicate a shift in operational techniques. Threat actors are increasingly using legitimate cloud services—such as Google Sheets and administrative tools—to manage command-and-control (C2) communications. This "living-off-the-cloud" method complicates detection, as malicious traffic often resembles standard business operations.

Technical analysis

Google Chrome: CVE-2024-5274

The Chrome vulnerability is a high-severity type confusion bug within the V8 JavaScript engine. Within the MITRE ATT&CK framework, this aligns with Exploitation for Client Execution (T1203). Type confusion arises when a program allocates a resource using one type but accesses it using an incompatible type. This discrepancy can allow unauthorized parties to read or write memory out of bounds, potentially leading to arbitrary code execution inside the browser’s sandbox. While Google limits the release of specific exploit details to delay wider abuse, the rapid issuance of the fix reflects the severity of the risk.

Veeam Backup & Replication: CVE-2024-29849

The Veeam vulnerability carries a CVSS score of 9.8, classifying it as critical. It permits an unauthenticated actor to execute code remotely on the backup server, mapping to Exploitation of Remote Services (T1210). Backup servers typically hold extensive administrative privileges to function across network segments. Compromise at this level grants substantial control over the environment. Unauthorized access here could allow data exfiltration or log deletion prior to the deployment of ransomware, significantly complicating recovery efforts.

Remediation guidance

We recommend security teams take the following steps to secure their environments:

  1. Update browsers immediately: Apply the latest updates to Chrome and Chromium-based browsers (including Microsoft Edge, Brave, and Vivaldi). Prioritize endpoints used by staff with administrative access or departments frequently subject to social engineering, such as finance and human resources.
  2. Patch backup infrastructure: Update Veeam Backup & Replication servers to the latest version immediately.
  3. Verify network isolation: Ensure backup infrastructure is not exposed to the public internet.
  4. Audit service accounts: Review Veeam service accounts for configuration changes or activity that deviates from established baselines.

Detection strategies

To address the "living-off-the-cloud" techniques and specific exploits described above, monitoring strategies should focus on the following:

  • Cloud traffic analysis: Inspect anomalous outbound connections to legitimate cloud services from systems that do not typically initiate such traffic, particularly servers and service accounts.
  • Browser process monitoring: For the Chrome vulnerability, monitor for unusual child processes spawning from the browser, such as cmd.exe or powershell.exe. This often indicates a sandbox escape.
  • Veeam network activity: Review logs for unauthorized connections to the Veeam Backup Service, typically on port 9392. Any connection including an internal or external IP address not recognized as a management console warrants investigation.

Strengthening resilience

The data from 2024 indicates that threat actors continue and efficiently identify flaws in ubiquitous applications and the software supply chain. This validates the need for a defense-in-depth strategy that assumes individual application integrity may fail. With the recovery layer increasingly targeted, security programs must ensure backups are immutable and architecturally isolated from the primary production environment.

While current patches resolve the immediate software flaws, the precise methods used to leverage CVE-2024-5274 remain partially undisclosed to protect the user base. Security teams should maintain vigilance and continue monitoring for indicators of compromise (IOCs) as further forensic data becomes available.

Sources & References