A high-severity vulnerability affecting all versions of Veeam’s Backup & Replication (VBR) software could allow unauthenticated attackers to access backup infrastructure by stealing plaintext credentials and remotely executing code as SYSTEM.
Veeam has released security updates to mitigate the flaw for VBR V11 and V12, but customers using older releases must upgrade to secure vulnerable devices running unsupported releases.
In the meantime, Veeam recommends blocking external connections to port TCP 9401 via the backup server firewall to remove the attack vector.
Horizon3’s Attack Team has published cross-platform exploit code for the vulnerability, enabling the extraction of credentials in plaintext from the VBR configuration database by abusing an unsecured API endpoint.
The proof-of-concept (PoC) code is accessible on GitHub, built on .NET core, and capable of running on Linux, according to vulnerability researcher James Horseman. The Huntress security researchers have also demonstrated their own PoC exploit that could dump plaintext credentials and perform arbitrary code execution via additional API calls, allowing for lateral movement or post-exploitation, making the Veeam instance itself a vector for initial access or further compromise.
Huntress Labs found that out of 2 million endpoints running its agent software, more than 7,500 hosts running Veeam Backup & Replication software were vulnerable to CVE-2023-27532 exploits.
While there are currently no reports of threat actors leveraging the vulnerability or attempting to exploit it, attackers will likely create their exploits based on the PoC code published by Horizon3 researchers to target Internet-exposed Veeam servers.
The vulnerability should be taken seriously, and patches should be applied as soon as possible to ensure the security of organizations.
