Veeam alert clients about serious vulnerabilities in the Veeam ONE

Hotfixes for four vulnerabilities—two of which are critical—in Veeam’s Veeam ONE IT infrastructure monitoring and analytics product were made available today.

Since these vulnerabilities allow attackers to get remote code execution (RCE) and acquire NTLM hashes from servers that are susceptible to attack, the business awarded practically maximum severity ratings (9.8 and 9.9/10 CVSS base scores) to the significant security weaknesses. The other two are medium-severity problems that don’t really affect anything or need user participation.

A flaw in Veeam ONE makes it possible for an unauthorized person to get details about the SQL server connection that Veeam ONE makes in order to access its configuration database. This might result in remote code execution on the SQL server that houses the Veeam ONE configuration database, according to a warning on the problem identified as CVE-2023-38547 that was released today.

The following hotfixes have been published by the firm to address these problems, which affect actively supported Veeam ONE versions up to the most recent release (download links are given in this security advisory):

12 P20230314 (12.0.1.2591) Veeam ONE 12
ONE 11a Veeam (11.0.1.1880)
ONE 11 Veeam (11.0.0.1379)