Hi Everyone,
Several Windows Server machines in our environment have Veeam Agent for Windows installed and connected to the Veeam Backup Server.
All backup jobs are running normally.
However, our company’s internal vulnerability scanner recently detected a potentially insecure file located in the Veeam Agent installation path on multiple servers:
System.Text.Json.dll (current version: 6.0.222.6406).
The scanner recommends updating it to 6.0.10 or 8.0.5.
The related CVE is CVE-2024-43485.
Here’s our current environment:
Veeam Server version: 12.3.2
Veeam Agent version: 6.3.2.1205
Detected path: C:\Program Files\Veeam\Endpoint Backup\net462
May I ask how this file should be handled?
Do we need to manually patch or update it, and if so, what is the correct method?
I’ve also opened a support case (#07839563) for further investigation.
Any advice or guidance from the community or Veeam team would be greatly appreciated.
Thanks in advance for your help!
-
WadeOWL
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 11, 2025 1:38 am
- Full Name: Wade.Ling
- Contact:
-
Mildur
- Product Manager
- Posts: 11025
- Liked: 3026 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Vulnerable File Detected on Windows Server with Veeam Agent
Hi Wade,
Our R&D team is aware of this CVE affecting a third-party component we use with Veeam Agent.
According to our internal notes, manual patching is not possible, as this DLL file has version dependencies on other DLLs that must be updated together.
A fix is planned for the next update of Veeam Agent. I will contact our security team for further information and provide you with an update as soon as I have it.
Best regards,
Fabian
Our R&D team is aware of this CVE affecting a third-party component we use with Veeam Agent.
According to our internal notes, manual patching is not possible, as this DLL file has version dependencies on other DLLs that must be updated together.
A fix is planned for the next update of Veeam Agent. I will contact our security team for further information and provide you with an update as soon as I have it.
Best regards,
Fabian
Product Management Analyst @ Veeam Software
-
Mildur
- Product Manager
- Posts: 11025
- Liked: 3026 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Vulnerable File Detected on Windows Server with Veeam Agent
Hi Wade,
According to our security team, there is currently no clear way to exploit this vulnerability in System.Text.Json.dll, and the impact is limited to Denial of Service attacks.
I’ve received confirmation that the issue is resolved with Veeam Agent for Windows v13, as we will begin using System.Text.Json.dll from the system, allowing it to be updated through System Updates.
The library in Veeam Agent for Windows v6 will be updated with one of the next patches.
Best regards,
Fabian
According to our security team, there is currently no clear way to exploit this vulnerability in System.Text.Json.dll, and the impact is limited to Denial of Service attacks.
I’ve received confirmation that the issue is resolved with Veeam Agent for Windows v13, as we will begin using System.Text.Json.dll from the system, allowing it to be updated through System Updates.
The library in Veeam Agent for Windows v6 will be updated with one of the next patches.
Best regards,
Fabian
Product Management Analyst @ Veeam Software
-
jaysontsai
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 14, 2025 1:19 am
- Full Name: Tsai Hsiang Sheng
- Contact:
Re: Vulnerable File Detected on Windows Server with Veeam Agent
Hi Mildur,
Thank you again for the clarification regarding the System.Text.Json.dll vulnerability (CVE-2024-43485).
I have two follow-up questions for better internal communication with our customers:
1. Could you please elaborate on the practical impact of this potential Denial of Service (DoS) vulnerability? For instance, would it cause any interruption or instability in Veeam Backup & Replication services or backup operations?
2. For environments that are still running Veeam Backup & Replication v12 with Veeam Agent v6, could you please share an estimated timeframe (e.g., target month or quarter) for the patch that will include the updated System.Text.Json.dll?
We understand that the exact release schedule depends on development progress, but even an approximate estimate would help us prepare an internal report for our customers and their management.
Thank you very much for your time and support.
Thank you again for the clarification regarding the System.Text.Json.dll vulnerability (CVE-2024-43485).
I have two follow-up questions for better internal communication with our customers:
1. Could you please elaborate on the practical impact of this potential Denial of Service (DoS) vulnerability? For instance, would it cause any interruption or instability in Veeam Backup & Replication services or backup operations?
2. For environments that are still running Veeam Backup & Replication v12 with Veeam Agent v6, could you please share an estimated timeframe (e.g., target month or quarter) for the patch that will include the updated System.Text.Json.dll?
We understand that the exact release schedule depends on development progress, but even an approximate estimate would help us prepare an internal report for our customers and their management.
Thank you very much for your time and support.
Who is online
Users browsing this forum: No registered users and 5 guests