Exploit released for Veeam bug allowing cleartext credential theft

Cross-platform exploit code is now available for a high-severity Backup Service vulnerability impacting Veeam's Backup & Replication (VBR) software.

The flaw (CVE-2023-27532) affects all VBR versions and can be exploited by unauthenticated attackers to breach backup infrastructure after stealing cleartext credentials and gaining remote code execution as SYSTEM.

Veeam released security updates to address this vulnerability for VBR V11 and V12 on March 7, advising customers using older releases to upgrade to secure vulnerable devices running unsupported releases.

"We have developed patches for V11 and V12 to mitigate this vulnerability and we recommend you update your installations immediately," the company warned.

The company also shared a temporary fix for admins who couldn't immediately deploy the patches, which requires blocking external connections to port TCP 9401 using the backup server firewall to remove the attack vector.

Veeam says its VBR software is used by more than 450,000 customers worldwide, including 82% of Fortune 500 companies and 72% of Global 2,000.

Today, just over two weeks after Veeam released CVE-2023-27532 patches, Horizon3's Attack Team published a technical root cause analysis for this high-severity vulnerability.

They also released cross-platform proof-of-concept (PoC) exploit code that allows obtaining credentials in plaintext from the VBR configuration database by abusing an unsecured API endpoint.

​"We have released our POC on Github, which is built on .NET core and capable of running on Linux, making it accessible to a wider audience," Horizon3 vulnerability researcher James Horseman said.

"It is important to note that this vulnerability should be taken seriously and patches should be applied as soon as possible to ensure the security of your organization."

Last week, Huntress security researchers shared a video demo of their own PoC exploit capable of dumping cleartext credentials and achieving arbitrary code execution via additional API calls that could be weaponized.

"While the unauthenticated credential dump acts as a vector for lateral movement or post-exploitation, the vulnerability in question can also be used for unauthenticated remote code execution — turning the vulnerable Veeam instance itself into a vector for initial access or further compromise," Huntress Labs security researchers John Hammond explained.

Out of 2 million endpoints running its agent software, Huntress said it detected more than 7,500 hosts running Veeam Backup & Replication software vulnerable to CVE-2023-27532 exploits.

Although there are no reports of threat actors leveraging this vulnerability and no attempts to exploit it in the wild, attackers will likely create their own exploits based on the PoC code published by Horizon3 researchers to target Internet-exposed Veeam servers.