Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in Veeam ONE
Alerts

Critical Vulnerabilities in Veeam ONE

7 November 2023

Veeam has released security updates to address two critical vulnerabilities (CVE-2023-38547 and CVE-2023-38548) in their Veeam ONE platform, an IT infrastructure monitoring and analytics platform. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.9 and 9.8 out of 10, respectively.

The critical vulnerabilities are:

  • CVE-2023-38547: A vulnerability which allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. Successful exploitation of this vulnerability could lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

  • CVE-2023-38548: A vulnerability where an unprivileged user who has access to the Veeam ONE Web Client can have the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

The vulnerabilities affect the following product versions:

  • CVE-2023-38547: VEAM ONE 11, 11a, 12

  • CVE-2023-38548: VEAM ONE 12

Users and administrators of the affected product versions are advised to upgrade to the latest product versions immediately.

More information is available here:

https://www.veeam.com/kb4508

https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-bugs-in-veeam-one-monitoring-platform/

Back to top