top of page

Veeam Backup Plan Gone Wrong: The Uninvited Guest at Your Data Breach Party - CVE-2023-27532

A vulnerability in Veeam Backup & Replication component

If you are not a Cytidel customer, you may have missed a sneaky vulnerability, CVE-2023-27532, that we first flagged for our customers in early March. This is a Veeam Backup & Replication software vulnerability that could put your sensitive data and systems at risk. Unfortunately, it seems that the notorious Russian cybercrime group FIN7 has been taking advantage of unpatched instances of the software to launch attacks and potentially gain unauthorized access to sensitive data and systems.

In today's post, we're going to take a closer look at this vulnerability and share some tips to help keep your data safe. So grab a cup of coffee, and let's dive in!

Why Should I Care?

If you are a business owner concerned about the security of your data backups, you may need to take action to protect your business from potential attacks. In the age of ransomware attacks, this vulnerability is particularly dangerous because attackers can target and delete backups to force companies to pay for getting their data back. In addition, no logs are retained on the device following a successful attack, indicating that an attack may go unnoticed.

Russian cybercrime group FIN7 has already been observed exploiting unpatched instances of Veeam Backup & Replication software to execute attacks. These attacks were caught in March 2023 and were initiated by exploiting this recently patched vulnerability. FIN7 has been seen performing network reconnaissance, stealing information, achieving persistence, and moving laterally using the stolen credentials obtained through the exploit.

What Can I Do?

Veeam have issued an advisory, and users of Veeam Backup & Replication software are urged to install patches and upgrade to a supported version as soon as possible.

Here are some further steps that you can take:

  • Install the patches: The patches were included in application versions 12 (build P20230223) and 11a (build P20230227).

  • Block external connections to TCP port 9401: If users have an all-in-one Veeam appliance with no remote backup infrastructure components, they can block external connections to TCP port 9401 in the backup server firewall as a temporary remediation until the patch is installed.

  • Upgrade to a supported version: Users of older Veeam Backup & Replication versions are advised to update to a supported version as soon as possible.

  • Proactively monitor backup infrastructure hosts for any indications of compromise.

  • Stay alert: Remain vigilant and keep an eye out for any questionable activity related to Veeam Backup & Replication software.

Keep your organisation ahead of threats with Cytidel Threat Intelligence

To find out more about Cytidel’s threat intelligence offering, visit

Stay safe and secure!

The Cytidel Threat Intelligence Team

bottom of page