Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Unauthenticated credential extraction in Veeam Backup & Replication Cloud Connect

IdentifiersCVE-2023-27532CWE-306· Missing Authentication for…Also known asveeam_cve_2023_27532

CVE-2023-27532 is an authentication bypass / missing authentication flaw in Veeam Backup & Replication, specifically affecting the Cloud Connect-related service/API exposed by the product. The vulnerability allows an unauthenticated remote attacker to access the local Veeam configuration database through the vulnerable API path and obtain credentials stored there. Multiple supporting references describe the issue as unauthenticated API access for credential extraction and as a missing authentication condition for a critical function. The exposed data includes credentials stored in the configuration database; some reporting describes recovery of encrypted credentials from the database, while other reporting and exploitation writeups describe attackers requesting unencrypted/plaintext credentials from the vulnerable service. In observed intrusions, attackers used PowerShell scripts and compiled tooling to pull Veeam credentials from the service and then leveraged those credentials for follow-on access and code execution within the backup environment.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation exposes sensitive credentials from the Veeam configuration database to an unauthenticated remote attacker. Those credentials can provide access to backup infrastructure hosts, backup servers, connected systems, and potentially broader enterprise assets depending on credential scope and reuse. In real-world incidents, ransomware operators used the flaw to harvest Veeam credentials, pivot into backup infrastructure, execute commands, dump additional credentials, and reduce or destroy recovery options prior to ransomware deployment or extortion. The primary direct impact is credential disclosure, but the operational consequence can extend to full compromise of backup infrastructure and downstream lateral movement.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, restrict network exposure to Veeam Backup & Replication services, especially any public-facing or broadly reachable Cloud Connect/API interfaces. Limit access to trusted management networks and administrative hosts only, block unnecessary inbound access from the internet and untrusted internal segments, and isolate backup infrastructure from general user networks. Monitor for exploitation indicators such as anomalous requests to Veeam services, PowerShell scripts targeting Veeam credential extraction, suspicious use of Veeam.Backup.MountService.exe, credential dumping, and unexpected command execution from backup servers. As a compensating control, rotate exposed credentials and enforce segmentation and least privilege for accounts used by Veeam.

Remediation

Patch, then assume compromise.

Apply Veeam’s vendor-provided fix for CVE-2023-27532 and upgrade affected Veeam Backup & Replication deployments to a patched release as specified by Veeam security guidance. Because the flaw has been actively exploited, remediation should include rotating all credentials stored in or accessible from the Veeam configuration database after patching, especially service accounts, backup repository credentials, domain accounts, and any reused administrative credentials. Review backup infrastructure for signs of prior exploitation, including suspicious access to the Veeam service, credential-dumping artifacts, PowerShell execution, unexpected account creation, and post-exploitation activity originating from backup servers.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 2 / 3 TOTALView more in app
CVE-2023-27532MaturityPoCVerified exploit

This repository contains a C# proof-of-concept exploit for CVE-2023-27532, a critical vulnerability in Veeam Backup & Replication. The main exploit logic resides in Program.cs, which allows an attacker to connect to a Veeam Backup & Replication service over TCP (default port 9401) and either extract all stored credentials in plaintext or execute arbitrary commands as SYSTEM on the remote server. The exploit uses the Veeam remote invoke service via a net.tcp endpoint, crafting XML payloads to trigger the vulnerability. The repository includes Visual Studio project files, configuration, and references to Veeam DLLs (which must be present to build the exploit). The exploit is operational and requires network access to the vulnerable service. No detection-only scripts are present; the code is a working exploit. The Readme.md provides usage instructions and credits prior research.

sfewer-r7Disclosed Mar 23, 2023csharpxmlnetwork
CVE-2023-27532MaturityPoCVerified exploit

This repository is a proof-of-concept (POC) exploit for CVE-2023-27532, a vulnerability in Veeam Backup & Replication. The exploit is implemented in C# (.NET 6.0) and consists of a Visual Studio solution with the main logic in 'CVE-2023-27532/Program.cs'. The exploit connects to the Veeam server's net.tcp API endpoint (default port 9401), abuses unsecured remote procedure calls ('CredentialsDbScopeGetAllCreds' and 'CredentialsDbScopeFindCredentials'), and extracts all stored credentials by deserializing the server's responses. The extracted credentials (usernames and passwords) are printed to the console. The repository includes supporting code for serialization/deserialization and the necessary service interface definitions. No authentication is required to exploit the vulnerability, making it a critical issue for unpatched Veeam servers. The README provides usage instructions, mitigation advice, and references for further technical analysis.

horizon3aiDisclosed Mar 18, 2023csharpnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

45 SOURCESView more in app
shroudcloudNews
Apr 14, 2026
Akira - ShroudCloud

A Veeam Backup & Replication vulnerability enabling credential extraction, used by Akira as an alternative initial access vector.

Read more
splunk researchNews
Feb 25, 2026
Detection: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity | Splunk Security Content

A Veeam Backup & Replication vulnerability whose exploitation is detected via credential dump attempts followed by xp_cmdshell invocation, indicating possible successful exploitation and remote command execution or credential dumping.

Read more
security affairsNews
Feb 23, 2026
AI-powered campaign compromises 600 FortiGate systems worldwide

Referenced in the actor’s operational notes as a potential exploit target; the report indicates the actor generally failed when attempting exploitation beyond basic automated paths.

Read more
cyber security newsNews
Feb 21, 2026
Hackers Leveraging Multiple AI Services to Compromise 600+ FortiGate Devices

An unauthenticated API access issue in Veeam Backup & Replication that can enable credential extraction.

Read more
+36 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-27532
NVD
nvd.nist.gov/vuln/detail/CVE-2023-27532
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
veeam.com/kb4424
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27532