CVE-2023-27532
CVE-2023-27532 is a high-severity vulnerability in Veeam Veeam Backup & Replication with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-08-22). The underlying weakness is classified as CWE-306.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 78% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-08-22)
- EU (EUVD) id: EUVD-2023-31287
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-08-22)
- Weakness: CWE-306
- Affected product: Veeam Veeam Backup & Replication
- Published:
- Last modified:
Description
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
CVE-2023-27532: Veeam Backup & Replication Unauthenticated Credential Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-27532 |
| CVSS v3.1 | 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 0.7761 (99.51st percentile) |
| KEV | Yes (added 2023-08-22) |
| CWE | CWE-306: Missing Authentication for Critical Function |
| Vendor Advisory | Veeam KB4424 |
Summary
CVE-2023-27532 is a vulnerability in Veeam Backup & Replication that allows an unauthenticated attacker to obtain encrypted credentials stored in the product's configuration database. Successful exploitation may lead to unauthorized access to backup infrastructure hosts.
Background
Veeam Backup & Replication is a widely deployed enterprise backup and disaster-recovery platform. In March 2023, a vulnerability was disclosed affecting the product's handling of credential storage, specifically the encryption and access controls around the configuration database.
Root Cause
The vulnerability maps to CWE-306: Missing Authentication for Critical Function. A component responsible for accessing the configuration database does not properly enforce authentication, allowing an unauthenticated remote actor to retrieve encrypted credentials. While the credentials are encrypted, their extraction bypasses intended access controls and exposes material that can be decrypted or reused in subsequent attacks.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields a base score of 7.5 (HIGH). The metrics indicate:
- Attack Vector (AV): Network — exploitable remotely.
- Attack Complexity (AC): Low — no special conditions required.
- Privileges Required (PR): None — unauthenticated access.
- User Interaction (UI): None — no victim action needed.
- Scope (S): Unchanged — impact stays within the vulnerable component.
- Confidentiality (C): High — sensitive credential data is exposed.
- Integrity (I): None — no direct data modification.
- Availability (A): None — no direct service disruption.
The primary risk is credential compromise, which can cascade into full backup infrastructure access.
Exploitation Walkthrough (Defensive)
From a defensive standpoint, exploitation proceeds as follows:
- The attacker identifies an exposed Veeam Backup & Replication instance.
- The attacker sends a crafted, unauthenticated request to an endpoint or service path that interfaces with the configuration database.
- The response contains encrypted credentials stored in the database.
- The attacker may then attempt offline decryption or credential reuse against backup infrastructure hosts.
Ethics caveat: This walkthrough is intentionally generic and omits technical proof-of-concept details. It is provided solely to aid defenders in understanding attack flow and building detection logic. Do not use this information for unauthorized access.
Affected and Patched Versions
The following product versions are confirmed vulnerable based on CPE data:
- Veeam Backup & Replication 11.0.1.1261 (multiple patch levels)
- Veeam Backup & Replication 12.0.0.1420
Specific patched version numbers were not available in the source data. Administrators should consult Veeam KB4424 for the latest patched release and upgrade paths.
Remediation
- Patch immediately: Apply the vendor-supplied update as directed in Veeam KB4424.
- Network segmentation: Restrict access to Veeam management interfaces to authorized administrative hosts only; do not expose them to the internet.
- Multi-factor authentication (MFA): Enforce MFA on all accounts with access to backup infrastructure.
- Credential rotation: Rotate all credentials stored in the Veeam configuration database after patching.
- Principle of least privilege: Ensure backup service accounts have minimal necessary permissions.
Detection
- Monitor unauthenticated or anomalous requests to Veeam management endpoints.
- Alert on unexpected database read operations against the Veeam configuration database.
- Correlate login events on backup infrastructure hosts with suspicious source IPs.
- Review CISA's Known Exploited Vulnerabilities catalog for associated threat-actor TTPs.
Assessment
CVE-2023-27532 carries an EPSS score of 0.7761 (99.51st percentile) and has been listed in CISA's KEV catalog since 2023-08-22, with a corresponding EU Exploited Vulnerability Database entry (EUVD-2023-31287). These signals confirm active, in-the-wild exploitation. The combination of unauthenticated remote access and high-value backup infrastructure makes this a critical patching priority.
Lessons learned:
- Backup infrastructure is a prime target: Attackers understand that backup systems hold the keys to the kingdom; missing authentication on credential-access paths is especially dangerous.
- EPSS + KEV should drive prioritization: A vulnerability with EPSS > 0.5 and a KEV listing demands immediate attention over routine patch cycles.
References
Frequently asked questions
- What is CVE-2023-27532?
- Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
- How severe is CVE-2023-27532?
- CVE-2023-27532 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-27532 being actively exploited?
- Yes. CVE-2023-27532 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-08-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-27532?
- CVE-2023-27532 primarily affects Veeam Veeam Backup & Replication. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-27532?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-27532 have an EU (EUVD) identifier?
- Yes. CVE-2023-27532 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31287. It is also flagged as exploited in the EUVD (since 2023-08-22).
- When was CVE-2023-27532 published?
- CVE-2023-27532 was published on 2023-03-10 and last updated on 2026-06-17.
References
- https://www.veeam.com/kb4424
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27532
Affected products (6)
- cpe:2.3:a:veeam:veeam_backup_\&_replication:*:*:*:*:*:*:*:*
- cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:-:*:*:*:*:*:*
- cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211123:*:*:*:*:*:*
- cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211211:*:*:*:*:*:*
- cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20220302:*:*:*:*:*:*
- cpe:2.3:a:veeam:veeam_backup_\&_replication:12.0.0.1420:-:*:*:*:*:*:*
More vulnerabilities in Veeam Veeam Backup & Replication
- CVE-2026-21708 — Critical (CVSS 9.9): A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
- CVE-2026-21669 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2026-21667 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2026-21666 — Critical (CVSS 9.9): A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2025-48983 — Critical (CVSS 9.9): A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the…
- CVE-2024-40711 — Critical (CVSS 9.8): A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code…
All CVEs affecting Veeam Veeam Backup & Replication →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →