A Veeam Backup & Replication vulnerability (CVE-2023-27532) has been found that could enable an unauthenticated user to request encrypted credentials, giving them access to hosts used for backup infrastructure. All versions of Veeam Backup & Replication are impacted by this, and has a CVSS v3 score of 7.5.
To address this vulnerability, Veeam has created patches for V11 and V12, and we strongly advise that you upgrade your installations right away.
Access the KB4424 article here for patches and instructions.
- All versions of Veeam Backup & Replication are impacted by this issue.
- If you are using an earlier version of Veeam Backup & Replication, please upgrade to a supported version first.
- If you utilize an all-in-one Veeam appliance without any remote backup infrastructure components, a temporary fix until the patch is installed is to restrict external connections to port TCP 9401 in the firewall of the backup server.
- The Veeam Backup & Replication server needs to have the patch installed. Veeam Backup & Replication versions 12 and 11a that have been newly deployed and installed using ISO images with dates of 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.
- Access the KB4424 article here for patches and instructions.