Cross-platform exploit is now available for a high-severity backup service vulnerability affecting Veeam’s Backup and Replication (VBR) software.

The flaw (CVE-2023-27532) affects all versions of VBR and can be exploited by unauthenticated attackers to breach the backup infrastructure after stealing clear text credentials and obtaining remote code execution as SYSTEM.

Veeam released security updates on March 7 to address this vulnerability for VBR V11 and V12, advising customers using older versions to upgrade to secure vulnerable devices running unsupported versions.

“We have developed patches for V11 and V12 to mitigate this vulnerability and recommend that you update your installations immediately,” the company warned.

The company also shared an interim fix for admins who couldn’t immediately deploy the fixes, which requires blocking external connections to TCP port 9401 using the backup server’s firewall to remove the vector. offensive.

Veeam said its VBR software is used by more than 450,000 customers worldwide, including 82% of Fortune 500 companies and 72% of the Global 2000.

Today, just over two weeks after Veeam released the CVE-2023-27532 patch, the Horizon3 attack team released a technical analysis of the root causes of this very serious vulnerability.

They also released cross-platform proof-of-concept (PoC) exploit code which allows obtaining plaintext credentials from the VBR configuration database by abusing an insecure API endpoint.

“We released our POC on Github, which is built on the .NET core and capable of running on Linux, making it available to a wider audience,” said Horizon3 vulnerability researcher James Horseman. said.

“It is important to note that this vulnerability should be taken seriously and patches should be applied as soon as possible to keep your organization secure.”

Last week, security researchers at Huntress shared a video demo of their own PoC exploit able to dump credentials in clear text and achieve arbitrary code execution via additional API calls that could be weaponized.

“While unauthenticated credential flushing acts as a vector for lateral movement or post-exploitation, the vulnerability in question can also be used for unauthenticated remote code execution – turning the vulnerable Veeam instance itself into a vector of initial access or additional compromise,” Huntress Lab security researchers John Hammond explained.

Out of 2 million endpoints running its agent software, Huntress said it detected more than 7,500 hosts running Veeam Backup & Replication software vulnerable to CVE-2023-27532 exploits.

Although there are no reports of malicious actors exploiting this vulnerability and no attempts to exploit it in the wild, attackers will likely create their own exploits based on the PoC code published by Horizon3 researchers to target Veeam servers exposed to the Internet.