Veeam Software has rolled out patches for four severe security vulnerabilities that expose users of its Veeam ONE product to remote code execution attacks
The Ohio company issued an urgent advisory to document the flaws, which include a pair of critical issues with CVSS severity scores of 9.9 out of 10.
An IT monitoring and analytics solution, Veeam ONE provides organizations with real-time monitoring, management reporting, and business documentation for Veeam’s backup products.
Veeam is documenting the most serious issue as CVE-2023-38547 (CVSS 9.9), a security defect that could allow an attacker to execute code remotely.
“A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database,” the company warned.
The second critical issue, tracked as CVE-2023-38548 (CVSS 9.8), could allow an attacker obtained the hashed password for the Veeam ONE Reporting Service.
“A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service,” Veeam said.
Veeam also patched a medium-severity issue (CVE-2023-38549) that allows an attacker with ‘power user’ privileges to obtain the access token of a Veeam ONE administrator. Successful exploitation requires interaction from the administrator.
A fourth issue, tracked as CVE-2023-41723, was also fixed to block attackers with read-only access from viewing the application’s dashboard schedule.
Veeam released hotfixes to address these flaws in Veeam ONE versions 11, 12, and 13. Administrators are advised to download the patches and install them as soon as possible.
Veeam makes no mention of any of these vulnerabilities being exploited in attacks, but attackers are known to have targeted flaws in its backup solutions.