Veeam has warned against a vulnerability that could give an attacker remote code execution (RCE) on the SQL server of its Veeam ONE monitoring platform.
Veeam ONE 11, 11a and 12 is also used in versions 5 and 6 of the company’s disaster recovery orchestrator, and version 4 of its availability orchestrator.
According to the company’s advisory, CVE-2023-38547 (CVSS score of 9.9) “allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database.”
An attacker who gains that information could get RCE on the server hosting the configuration database.
A second critical vulnerability, CVE-2023-38548 (CVSS score 9.8), lets an unprivileged user with access to the Veeam ONE Web client obtain the Microsoft “NTLM hash of the account used by the Veeam ONE Reporting Service.”
There are also two lower-rated vulnerabilities the company patched earlier this week.
CVE-2023-38549 (CVSS score 4.5) carries a lower-rating because it’s only exploitable by an attacker with a Veeam ONE Power User role. The attacker could use a cross-site scripting (XSS) attack to get the access token of an administrator.
In CVE-2023-41723 (CVSS score 4.3), someone with read-only privileges could view the software’s dashboard schedule.
The company noted that vulnerability testing was only conducted against currently supported versions of its software.
The patches are provided as hotfix files that need the Veeam ONE monitoring and reporting services to be stopped and restarted.