Veeam has just informed it’s customers about an existing vulnerability in Veeam Backup & Replication. Unauthorized users may be able to request encrypted credentials from the VBR service, and therefore get access to the backup infrastructure. The KB articles haven’t received updates so far, but the vulnerability did get a CVSSv3 score of 7.5.
EDIT: The KB article has just been published: KB4424
It’s recommended to patch VBR as soon as possible!
Solution
Patches have been released for VBR V11 and V12. Please keep in mind that older releases are also affected, but no longer get fixes. So you need to upgrade your installation to a supported release.
Workaround
As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.
Note about recent deployments
If you have recently deployed V11 or V12 then check the ISO image you’ve used for the installation. 20230227 (V11) and 20230223 (V12) already contain the patches and so aren’t vulnerable anymore.