cbcvebase.
CVE-2023-27532
published 2023-03-10

CVE-2023-27532: Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to…

PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-09-12
Exploited in the wild
EPSS
77.61%
99.5th percentile
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Affected

3 ranges
VendorProductVersion rangeFixed in
veeamveeam_backup_replication< 11.0.1.126111.0.1.1261
veeamveeam_backup_replication
veeamveeam_backup_replication

Detection & IOCsextracted from sources · hover to see the quote

port9401
pathC:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log
registryHKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel
processVeeam.Backup.Service.exe
hash45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a
filenameveeam.exe
  • Monitor TCP port 9401 on Veeam Backup & Replication servers for unauthenticated inbound connections; this port is the attack surface for CVE-2023-27532 credential dumping and RCE.
  • Enable verbose API logging on Veeam servers by setting HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel to DWORD 7 and restarting VeeamBackupSvc; then monitor C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log for anomalous API calls indicative of exploitation.
  • There are no child processes created and no filesystem or registry artifacts left behind during credential dumping exploitation; rely on API log analysis rather than process/file telemetry for detection.
  • Post-patch, verify that all API requests to the Veeam Backup & Replication service require a valid JWT signed with the installation-specific certificate; requests with empty or invalid tokens should be rejected.
  • Hunt for the presence of veeam.exe (SHA256: 45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a) on hosts, as it is a weaponized exploit binary for CVE-2023-27532 observed in threat actor tool repositories.
  • ·By default, Veeam Backup & Replication does not log API calls; LoggingLevel must be manually raised to 7 to capture exploitation evidence, meaning default deployments will have no log entries related to CVE-2023-27532 attacks.
  • ·The Veeam Backup & Replication API listens on all interfaces (0.0.0.0) by default, making port 9401 externally reachable unless explicitly firewalled; internet-exposed instances are at highest risk.
  • ·Vulnerable versions are any Veeam Backup & Replication builds prior to V12 (build 12.0.0.1420 P20230223) and V11a (build 11.0.1.1261 P20230227); use the provided PowerShell snippet against Veeam.Backup.Core.dll to confirm the installed build.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.