CVE-2023-27532
Published: 10 March 2023
Summary
CVE-2023-27532 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-28 (Protection of Information at Rest).
Deeper analysis
Veeam Backup & Replication contains a vulnerability that permits encrypted credentials stored in the configuration database to be retrieved. The flaw resides in a core component of the backup product and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required authentication or user interaction. Successful exploitation can expose credentials that protect the backup infrastructure hosts.
An unauthenticated attacker with network access can obtain the credentials and subsequently use them to reach backup servers and associated hosts. The weakness is categorized under CWE-306, indicating missing authentication for a critical function that protects stored secrets.
Veeam addresses the issue in knowledge-base article KB4424, while CISA lists the CVE in its catalog of known exploited vulnerabilities, confirming active exploitation in the wild. The associated EPSS score has reached a peak of 0.8486 and currently stands at 0.8381, indicating sustained attacker interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31287
Vulnerability details
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
- CWE(s)
- KEV Date Added
- 22 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control on the Veeam configuration database so that network-accessible unauthenticated retrieval of stored credentials is blocked.
Requires cryptographic protection of credentials at rest in the configuration database, directly mitigating the flaw that allows their retrieval.
Limits privileges on the backup server and database so that even authenticated users or processes cannot obtain the full set of stored infrastructure credentials.