Vulnerable File Detected on Windows Server with Veeam Agent

[WadeOWL]

Hi Everyone,

Several Windows Server machines in our environment have Veeam Agent for Windows installed and connected to the Veeam Backup Server.
All backup jobs are running normally.

However, our company’s internal vulnerability scanner recently detected a potentially insecure file located in the Veeam Agent installation path on multiple servers:
System.Text.Json.dll (current version: 6.0.222.6406).
The scanner recommends updating it to 6.0.10 or 8.0.5.
The related CVE is CVE-2024-43485.

Here’s our current environment:
Veeam Server version: 12.3.2
Veeam Agent version: 6.3.2.1205
Detected path: C:\Program Files\Veeam\Endpoint Backup\net462

May I ask how this file should be handled?
Do we need to manually patch or update it, and if so, what is the correct method?

I’ve also opened a support case (#07839563) for further investigation.
Any advice or guidance from the community or Veeam team would be greatly appreciated.

Thanks in advance for your help!

[Mildur]

Hi Wade,

Our R&D team is aware of this CVE affecting a third-party component we use with Veeam Agent.
According to our internal notes, manual patching is not possible, as this DLL file has version dependencies on other DLLs that must be updated together.
A fix is planned for the next update of Veeam Agent. I will contact our security team for further information and provide you with an update as soon as I have it.

Best regards,
Fabian

[Mildur]

Hi Wade,

According to our security team, there is currently no clear way to exploit this vulnerability in System.Text.Json.dll, and the impact is limited to Denial of Service attacks.

I’ve received confirmation that the issue is resolved with Veeam Agent for Windows v13, as we will begin using System.Text.Json.dll from the system, allowing it to be updated through System Updates.
The library in Veeam Agent for Windows v6 will be updated with one of the next patches.

Best regards,
Fabian