Get in Touch
Indiscriminate, opportunistic targeting.
Four security vulnerabilities have been disclosed, pertaining to Veeam ONE. The flaws are tracked as CVE-2023-38547 (CVSSv3.1 score: 9.9 – Critical), CVE-2023-38548 (CVSSv3.1 score: 9.8 – Critical), CVE-2023-38549 (CVSSv3.1 score: 4.5 – Medium) and CVE-2023-41723 (CVSSv3.1 score: 4.3 – Medium). CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 affect Veeam ONE version 11, 11a and 12, whereas CVE-2023-38548 impacts Veeam ONE 12 only.
- Successful exploitation of CVE-2023-38547 would almost certainly allow a threat actor to perform remote code execution (RCE) on the SQL server hosting the Veeam ONE configuration database.
- Successful exploitation of CVE-2023-38548 would almost certainly allow a threat actor with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
- Successful exploitation of CVE-2023-38549 would almost certainly allow a threat actor with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role via cross-site scripting (XSS).
- Successful exploitation of CVE-2023-41723 would almost certainly allow a threat actor with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
A security patch has been released by Veeam. As such, previous product versions remain vulnerable to potential exploitation.
- CVE-2023-38547: Veeam ONE 11, 11a, 12
- CVE-2023-38548: Veeam ONE 12
- CVE-2023-38549: Veeam ONE 11, 11a, 12
- CVE-2023-41723: Veeam ONE 11, 11a, 12
Containment, Mitigations & Remediations
It is strongly recommended that users of the affected product versions apply the relevant security updates as soon as possible. Remediations have been made available for the following Veeam ONE versions:
- Veeam ONE 12 P20230314 (188.8.131.5291)
- Veeam ONE 11a (184.108.40.2060)
- Veeam ONE 11 (220.127.116.119)
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Veeam occupies a significant portion of the backup-and-recovery market share. The related products are used extensively by organisations across the industry sector spectrum. Within the context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.
Intelligence indicates that vulnerabilities related to Veeam products for which patches exist, have previously been subjected malicious cyber operations pertaining to FIN7 and ALPHV ransomware operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Execution
TA0004 – Privilege Escalation