Veeam released hotfixes today to address four vulnerabilities in its Veeam ONE IT infrastructure monitoring and analytics platform, two of which are critical: CVE-2023-38548 and CVE-2023-38547. The critical flaws allow attackers to gain remote code execution (RCE) and steal NTLM hashes from vulnerable servers, with almost maximum severity ratings (9.8 and 9.9/10 CVSS base scores). The remaining two vulnerabilities, CVE-2023-38549 and CVE-2023-41723, are medium-severity, requiring user interaction or having limited impact.
Impact: CVE-2023-38547: An unauthenticated user can gain information about the SQL server connection, potentially leading to remote code execution on the SQL server hosting Veeam ONE’s configuration database. CVE-2023-38548: An unprivileged user with access to the Veeam ONE Web Client can acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. CVE-2023-38549: Attackers with Power User roles can steal the access token of an admin in a Cross-Site Scripting (XSS) attack, requiring user interaction. CVE-2023-41723: Malicious actors with the Read-Only User role can access the Dashboard Schedule but cannot make changes.
Recommendation: These vulnerabilities impact actively supported Veeam ONE versions up to the latest release. Veeam has released hotfixes for the affected versions, and administrators need to replace files on the disk with the hotfix files and stop and restart Veeam ONE monitoring and reporting services.