www.belgium.be Logo of the federal government

Warning: Multiple Vulnerabilities In VEAAM One, Patch Immediately!

Advisory #2023-134
Affected software: 
Veeam ONE 11, 11a, 12
Remote Code Execution (RCE), NTLM Hash

CVE-2023-38547 - CVSS 9.9

CVE-2023-38548 - CVSS 9.8

CVE-2023-38549 - CVSS 4.5

CVE-2023-41723 - CVSS 4.3


Veeam - https://www.veeam.com/kb4508


These vulnerabilities pose a significant risk as they could lead to unauthorized access, data theft, and potential system compromise. It’s recommended to apply the available hotfixes to resolve these vulnerabilities.


CVE-2023-38547: This vulnerability allows an unauthenticated user to gain information about the SQL server connection that Veeam ONE uses to access its configuration database. This could potentially lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

CVE-2023-38548: This vulnerability allows an unprivileged user who has access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. This could potentially lead to unauthorized access to the service.

CVE-2023-38549: This vulnerability allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS. This could potentially lead to unauthorized administrative access, although the risk is reduced as it requires interaction by a user with the Veeam ONE Administrator role.

CVE-2023-41723: This vulnerability allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. The risk is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to upgrade the affected systems to the latest versions, which fix these issues.


Infosecurity Magazine - https://www.infosecurity-magazine.com/news/veeam-patches-two-critical-bugs/

Bleeping Computer - https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-b...