CVE-2023-27532

What is Veeam Backup & Replication?

Veeam Backup & Replication is one of the most widely deployed enterprise backup and disaster recovery platforms, used by organizations worldwide to protect virtual machines, physical servers, cloud workloads, and databases. Veeam stores backup data, schedules, configuration, and — critically — the credentials used to connect to protected systems and cloud environments. Because Veeam has privileged access to every system it backs up, a compromised Veeam server gives an attacker a blueprint and the credentials to access the organization's entire protected infrastructure. Ransomware operators specifically target backup infrastructure because destroying or encrypting backups eliminates the victim's ability to recover without paying the ransom.

Overview

CVE-2023-27532 is a missing authentication vulnerability (CWE-306) in Veeam Backup & Replication's Cloud Connect component: an unauthenticated attacker within the backup infrastructure network can query a service port that exposes encrypted credentials stored in the Veeam configuration database. While the credentials are returned encrypted, the encryption is weak enough that they can be decrypted offline — providing the attacker with credentials for backup targets, cloud accounts, and other infrastructure components. Veeam patched the issue in March 2023; CISA added it to the KEV catalog in August 2023 after FIN7 (Sangria Tempest) and the Akira ransomware group were confirmed to be exploiting it.

Affected Versions

Technical Details

The Veeam Cloud Connect infrastructure exposes a TCP service (on port 9401 by default) that allows external cloud providers to communicate with the on-premises Veeam Backup & Replication server. This service lacks authentication in affected versions — any host that can reach the port can interact with the service.

An unauthenticated attacker who can reach this port can:

1. Query the Veeam configuration database through the unauthenticated service
2. Extract stored encrypted credentials for all configured backup repositories, managed VMs, tape libraries, and cloud environments
3. Decrypt the weakly encrypted credentials offline
4. Use the decrypted credentials to access the protected infrastructure directly — bypassing the backup software entirely

The credentials exposed include:

• vCenter/ESXi host credentials (for full VMware environment access)
• Hyper-V host credentials
• Cloud provider credentials (AWS, Azure, GCP)
• Repository server credentials (storage systems, NAS)
• Linux/Windows backup agent credentials

Gaining these credentials effectively hands an attacker the organization's entire infrastructure authentication material — the same access Veeam needs to back up every system.

Discovery

CVE-2023-27532 was reported to Veeam by security researchers. Veeam published KB4424 and patches on March 7, 2023. The five-month gap before CISA's KEV addition reflects that exploitation was identified in incident response investigations of ransomware attacks where Veeam infrastructure was targeted as part of the attack chain.

Exploitation Context

FIN7 (also known as Sangria Tempest, Carbon Spider) is a sophisticated financially-motivated threat group known for multi-stage ransomware operations. The Akira ransomware-as-a-service group has been particularly active in targeting Veeam deployments — Akira campaigns frequently include a step where the group attacks the Veeam server to extract backup infrastructure credentials before deploying ransomware, ensuring that backups cannot be used for recovery.

Backup servers are typically higher-trust than general servers (they need admin credentials to access everything), but may receive less security attention — the combination makes them high-value targets. An attacker who compromises the Veeam server before deploying ransomware can:

1. Identify and delete or corrupt all backup data
2. Use extracted credentials to move laterally to other high-value systems
3. Deploy ransomware with confidence that no clean backups exist for recovery

Remediation

1. Apply Veeam KB4424 patches — upgrade Backup & Replication 12 to build P20230223 or later, or apply the applicable hotfix for version 11a. Consult veeam.com/kb4424 for specific build numbers.
2. Restrict access to the Veeam service port (9401/TCP) — firewall the Veeam Cloud Connect service port to allow only authorized external cloud provider IP ranges; block all other access including internal lateral movement paths.
3. Rotate all credentials stored in Veeam — if the Veeam server was network-accessible while running a vulnerable version, assume all stored credentials have been compromised. Rotate passwords for every system Veeam is configured to access.
4. Audit Veeam logs for unauthorized access to the configuration database or unusual API activity from unexpected hosts.
5. Isolate Veeam infrastructure — place Veeam servers in dedicated management VLANs with tight firewall rules; only authorized management workstations and backup targets should be able to reach Veeam service ports.
6. Implement MFA on Veeam console access — reduces risk from credential-based lateral movement even after a credential leak.
7. Test backup restores regularly — verify that backup data integrity is intact; attackers may have deleted or corrupted backup files if they accessed the system.