Veeam Backup & Replication admins, get patching! (CVE-2023-27532)

Veeam Software has patched CVE-2023-27532, a high-severity security hole in its widely-used Veeam Backup & Replication solution, and is urging customer to implement the fix as soon as possible.


About CVE-2023-27532

The nature of CVE-2023-27532 has not been explained – Veeam only says that “the vulnerable process, Veeam.Backup.Service.exe (TCP 9401 by default), allows an unauthenticated user to request encrypted credentials.”

Obtaining encrypted credentials might ultimately allow attackers to gain access to the backup infrastructure hosts, the company noted.

The email sent by the company to users notifying them of the flaw and the need to patch also did not offer much insight, but noted that “if you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can also block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.”

The email created some confusion with customers, because it was sent out before the knowledge base documents pointing to the patches / security updates were published, making some wonder whether it was a well-crafted phishing email aimed at tricking them into downloading malware. The company also added to the confusion and doubt by initially listing the wrong CVE number for the flaw.

Keep your backups secure

In this age of widespread ransomware attacks, threat actors are trying to delete backups to force companies to pay for getting their data back, so keeping your system updated is a must.

CVE-2023-27532 affects all Veeam Backup & Replication versions, and users are advised to install the patches as soon as possible.

“All new deployments of Veeam Backup & Replication versions 12 and 11 installed using the ISO images dated 20230223 (V12) and 20230227 (V11) or later are not vulnerable,” the company noted, and urged users of unsupported Veeam Backup & Replication version to upgrade to a supported one before implementing the patch.

UPDATE (March 10, 2023, 03:25 a.m. ET):

Markus Wulftange, principal security researcher at German security outfit CODE WHITE, has developed an exploit for the flaw.

UPDATE (August 2023):

CVE-2023-27532 has been exploited by FIN7 cybercriminals and attackers wielding Cuba ransomware.

Don't miss