Security News > 2023 > March > Veeam Backup & Replication admins, get patching! (CVE-2023-27532)
Veeam Software has patched CVE-2023-27532, a high-severity security hole in its widely-used Veeam Backup & Replication solution, and is urging customer to implement the fix as soon as possible.
The nature of CVE-2023-27532 has not been explained - Veeam only says that "The vulnerable process, Veeam.Backup.Service.exe, allows an unauthenticated user to request encrypted credentials."
Obtaining encrypted credentials might ultimately allow attackers to gain access to the backup infrastructure hosts, the company noted.
The email sent by the company to users notifying them of the flaw and the need to patch also did not offer much insight, but noted that "If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can also block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed."
CVE-2023-27532 affects all Veeam Backup & Replication versions, and users are advised to install the patches as soon as possible.
"All new deployments of Veeam Backup & Replication versions 12 and 11 installed using the ISO images dated 20230223 and 20230227 or later are not vulnerable," the company noted, and urged users of unsupported Veeam Backup & Replication version to upgrade to a supported one before implementing the patch.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-10 | CVE-2023-27532 | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420 Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. | 7.5 |