Critical Vulnerabilities in Veeam ONE

Published on 07 Nov 2023

Veeam has released security updates to address two critical vulnerabilities (CVE-2023-38547 and CVE-2023-38548) in their Veeam ONE platform, an IT infrastructure monitoring and analytics platform. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.9 and 9.8 out of 10, respectively.

The critical vulnerabilities are:

  • CVE-2023-38547: A vulnerability which allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. Successful exploitation of this vulnerability could lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
  • CVE-2023-38548: A vulnerability where an unprivileged user who has access to the Veeam ONE Web Client can have the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

The vulnerabilities affect the following product versions:

  • CVE-2023-38547: VEAM ONE 11, 11a, 12
  • CVE-2023-38548: VEAM ONE 12

Users and administrators of the affected product versions are advised to upgrade to the latest product versions immediately.

More information is available here: