Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability

Summary

CVE	CVE-2023-27532
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-03-10 22:15:00 UTC
Updated	2023-03-16 17:23:00 UTC
Description	Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Risk And Classification

EPSS: 0.838080000 probability, percentile 0.992980000 (date 2026-04-23)

CISA KEV: Listed on 2023-08-22; due 2023-09-12; ransomware use Known

Problem Types: CWE-306

CISA Known Exploited Vulnerability

Vendor	Veeam
Product	Backup & Replication
Name	Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes	https://www.veeam.com/kb4424; https://nvd.nist.gov/vuln/detail/CVE-2023-27532

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Veeam	Backup Replication	11.0.1.1261	All	All	All
Application	Veeam	Backup Replication	11.0.1.1261	-	All	All
Application	Veeam	Backup Replication	11.0.1.1261	p20211123	All	All
Application	Veeam	Backup Replication	11.0.1.1261	p20211211	All	All
Application	Veeam	Backup Replication	11.0.1.1261	p20220302	All	All
Application	Veeam	Backup Replication	12.0.0.1420	-	All	All

References

Reference	Source	Link	Tags
KB4424: CVE-2023-27532	MISC	www.veeam.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

378062 Veeam Backup and Replication Access Control Vulnerability (kb4424)