Critical Unauthenticated RCE Flaws Expose Veeam Backup & Recovery and Node.js MCP Server
Two critical vulnerabilities were disclosed that allow unauthenticated remote code execution against exposed systems. CVE-2024-40711 affects Veeam Backup & Recovery and stems from deserialization of untrusted data, enabling remote compromise when an attacker can deliver a crafted payload to a vulnerable instance. The flaw puts backup infrastructure at particular risk because successful exploitation could give attackers direct access to systems designed to store and manage recovery data.
A separate flaw, GHSA-V6WJ-C83F-V46X, impacts the domain_lookup module in @profullstack/mcp-server and is described as an OS command injection vulnerability with a CVSS 9.8 rating. Exploitation allows attackers to execute commands with the privileges of the Node.js process, exposing source code, configuration files, environment variables, database credentials, and cryptographic keys, while also enabling persistence, malware deployment, service termination, and broader lateral movement. Together, the disclosures highlight continued risk from internet-exposed enterprise software and developer tooling that process untrusted input without adequate safeguards.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVEReports discloses critical OS command injection in @profullstack/mcp-server
CVEReports published details on GHSA-v6wj-c83f-v46x, a critical OS command injection vulnerability in the @profullstack/mcp-server domain_lookup module. The report said the flaw enables unauthenticated remote code execution with the privileges of the Node.js application process and could expose sensitive files, enable persistence, or cause denial of service.
Armis publishes warning on Veeam Backup & Recovery RCE flaw CVE-2024-40711
Armis published an alert describing CVE-2024-40711, a critical deserialization of untrusted data vulnerability in Veeam Backup & Recovery that could allow unauthenticated remote code execution via a crafted payload. The notice said affected versions could be remotely compromised if exposed to an attacker able to deliver the malicious payload.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AWS MCP Server Flaws Expose File Read and Remote Code Execution Risks
Researchers disclosed multiple security flaws affecting AWS MCP components, including a local file inclusion bug in the AWS Remote MCP Server and a critical command injection issue in `aws-mcp-server`. Varonis said authenticated users could abuse AWS CLI shorthand syntax, specifically the `@=` operator passed through the `aws___call_aws` tool, to read arbitrary files from the underlying host even when `FileAccessMode=NO_ACCESS` was enabled. AWS assigned **CVE-2026-4270** to the file access restriction bypass and said the issue was fixed in `aws-api-mcp-server` version **1.3.9**; the exposure affected the public endpoint `aws-mcp.us-east-1.api.aws` as well as self-hosted or forked deployments. A separate flaw, tracked as **CVE-2026-5058** and published by Trend Micro's Zero Day Initiative as **ZDI-26-246**, allows unauthenticated remote code execution in `aws-mcp-server` because user-supplied input in the allowed-commands list is not properly validated before being used in a system call. ZDI rated the bug **CVSS 9.8** and said successful exploitation lets attackers run arbitrary code in the MCP server context; the advisory was released as a 0-day after the vendor rejected the report. The disclosures landed alongside another AWS bulletin for **CVE-2026-4269**, an improper S3 ownership verification issue in the Bedrock AgentCore Starter Toolkit, underscoring broader security concerns around MCP-related tooling and the need for immediate patching and review of derivative implementations.
Jun 12, 2026
Critical RCE Flaws in Veeam Backup & Replication and Rsync Require Patching
Authorities warned of critical vulnerabilities in two widely used backup and file synchronization products, with the most severe issues enabling remote code execution. In **Veeam Backup & Replication** version `12.3.1.1139` and all earlier `12.x` releases, **CVE-2025-23121** can allow code execution on a backup server when an authenticated domain user account is available, particularly on domain-joined systems. Two additional Veeam flaws, **CVE-2025-24286** and **CVE-2025-24287**, can also lead to arbitrary code execution through backup job modification by an authenticated backup operator or by manipulating local directory contents as a local system user. A separate alert covered **Rsync** version `3.3.0` and earlier, where six server-side vulnerabilities were disclosed. The most critical, **CVE-2024-12084**, can allow arbitrary code execution on a target Rsync server, while additional flaws include **CVE-2024-12085**, **CVE-2024-12747**, **CVE-2024-12086**, **CVE-2024-12087**, and **CVE-2024-12088**; the client application is not affected. Defenders were urged to apply vendor fixes immediately, including upgrading Veeam to version `12.3.2` build `12.3.2.3617` and installing patched Rsync packages provided by Linux distributors.
Apr 23, 2026
Veeam Patches Critical RCE and Privilege Escalation Flaws Across Backup Products
Veeam released security updates for multiple products after disclosing several vulnerabilities that affect enterprise backup and monitoring environments, including **Veeam Backup & Replication**, **Veeam ONE**, and **Veeam Service Provider Console**. The most severe issue, **`CVE-2026-32998`**, is a critical remote code execution flaw in Veeam Service Provider Console with a **CVSS score of 9.4**; Veeam said it is fixed in **version `9.2.1.33875`**. Canadian Centre for Cyber Security advisory **AV26-513** said affected versions include Veeam Backup & Replication 13 releases before **`13.0.2.29`**, Veeam ONE releases before **`13.0.2.6723`**, and Veeam Service Provider Console 9.2 releases before **`9.2.1.33875`**, and urged administrators to apply the vendor updates. Veeam also patched **`CVE-2026-32996`**, a high-severity local privilege escalation flaw in **Veeam Agent for Microsoft Windows** that could let a low-privileged local user gain administrative control, and **`CVE-2026-32997`**, an arbitrary file write issue affecting Linux-based backup servers running the **Veeam Software Appliance** that could allow an authenticated backup administrator to modify system files. For organizations unable to patch immediately, Veeam provided a workaround for the Service Provider Console bug by disabling the `AlarmManagement_ScriptExecution` setting in the local configuration JSON file, while older reporting on **Veeam ONE** underscores the continued security focus on Veeam’s management stack.
May 28, 2026