Home > Cyber News > CVE-2023-38547: Critical Flaws in Veeam
CYBER NEWS

CVE-2023-38547: Critical Flaws in Veeam

by   |  Last Update:  |  0 Comments  

Veeam has swiftly responded to security concerns by releasing updates that target four vulnerabilities in its ONE IT monitoring and analytics platform, two of which hold critical severity ratings.
CVE-2023-38547- Critical Flaws in Veeam

Veeam Vulnerabilities: CVE-2023-38547, CVE-2023-38548, CVE-2023-38549, CVE-2023-41723

The identified vulnerabilities are:

  • CVE-2023-38547 (CVSS score: 9.9): An unspecified flaw exploitable by an unauthenticated user to gain information about Veeam ONE’s SQL server connection, potentially leading to remote code execution on the SQL server.
  • CVE-2023-38548 (CVSS score: 9.8): A flaw in Veeam ONE enabling an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
  • CVE-2023-38549 (CVSS score: 4.5): A cross-site scripting (XSS) vulnerability allowing a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
  • CVE-2023-41723 (CVSS score: 4.3): A vulnerability permitting a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.

While the first three vulnerabilities impact Veeam ONE versions 11, 11a, and 12, the fourth, CVE-2023-38548, affects only Veeam ONE 12. Fixes for these issues are available in the following versions:

  • Veeam ONE 11 (11.0.0.1379)
  • Veeam ONE 11a (11.0.1.1880)
  • Veeam ONE 12 P20230314 (12.0.1.2591)




It is crucial for users running the affected versions to take immediate action. The recommended steps include stopping Veeam ONE Monitoring and Reporting services, replacing existing files with those provided in the hotfix, and restarting the two services.

Notably, over recent months, critical flaws in Veeam’s backup software have been exploited by various threat actors, including FIN7 and BlackCat ransomware, to distribute malware. Stay secure by applying the latest updates promptly.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. EstateRansomware Targets Veeam Backup: CVE-2023-27532 Exploited CVE-2023-27532, a significant flaw identified in Veeam Backup & Replication...
  2. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  3. The Most Secure Smartwatches List This is a comprehensive Top 10 list that summarizes the...
  4. Veeam Leaked Over 200 GB of Customer Data, Fortune 500 Companies Affected A database belonging to Veeam, a data management company, has...
  5. CISA Warns of CVE-2023-1133, Other Severe Flaws in Industrial Software On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)...
  6. In 2023, Microsoft Addressed More Than 900 Flaws Microsoft’s December 2023 Patch Tuesday: Wrapping Up the Year Microsoft...
  7. CVE-2023-7028: GitLab Fixes Critical Account-Hijacking Flaws GitLab has released crucial security updates for both its Community...
  8. CVE-2023-20887: Cisco, VMWare Fix Severe Vulnerabilities Security researchers reported that software companies Cisco and VMWare have...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree