CVE-2023-27532

Name of the Vulnerable Software and Affected Versions Veeam Backup & Replication versions 11.0.1.1261 through 12.0.0.1420

Description A flaw exists in the Veeam Backup & Replication software that allows an unauthenticated user with network access to obtain encrypted credentials stored in the configuration database. Successful exploitation of this issue may allow an attacker to gain access to the backup infrastructure hosts. This vulnerability is actively exploited by ransomware groups, including EstateRansomware, Cuba, and Qilin, and has been observed in attacks targeting critical infrastructure. The vulnerability allows for the extraction of credentials in plaintext and potential remote code execution. Approximately 7500 hosts remain vulnerable. The vulnerability is exploitable through an unsecured API endpoint.

Recommendations Apply the latest security updates for Veeam Backup & Replication versions prior to the release containing a fix for CVE-2023-27532. As a temporary workaround, restrict network access to the Veeam backup service (TCP 9401). Scan the network for instances of the svchost.exe backdoor and remove any unauthorized accounts, such as VeeamBkp.