CVE-2023-38547 & CVE-2023-38548: Two Critical Vulnerabilities in Veeam ONE

Share :

On November 6, 2023, Veeam published security hotfixes for two critical-severity vulnerabilities impacting Veeam ONE.  

  • CVE-2023-38547 (CVSS 9.9) could allow an unauthenticated threat actor to obtain information about the SQL server connection used by Veeam ONE to access its configuration database, which in turn could lead to remote code execution (RCE) on the SQL server hosting the product.  
  • CVE-2023-38548 (CVSS 9.8) could allow a threat actor to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.  

At this time, Arctic Wolf has not identified active exploitation of either vulnerability, nor a published proof of concept (PoC) exploit. Although threat actors have not historically targeted Veeam ONE products, obtaining RCE on the monitoring and analytics platform will likely increase the potential for threat actors to create a working PoC exploit and attempt exploitation. In 2023, multiple threat actors, including FIN7 and the Cuba ransomware group, targeted RCE vulnerabilities in Veeam’s Backup and Replication product to further compromise victim organizations.  

Recommendations for CVE-2023-38547 & CVE-2023-38548

Apply Applicable Security Hotfixes to Vulnerable Versions of Veeam ONE  

Arctic Wolf strongly recommends applying the latest security hotfixes to affected Veeam ONE products. Full instructions are available in the Veeam Advisory located here:  

Veeam performed vulnerability testing against actively supported versions only.  




Affected Version 




Fixed Version 


Veeam ONE  11  CVE-2023-38547  Veeam ONE 11 ( 
11a  CVE-2023-38547  Veeam ONE 11a ( 
12  CVE-2023-38547, CVE-2023-38548  Veeam ONE 12 P20230314 ( 


Note: The hotfix for is not compatible with Veaam ONE 12 GA (build and will cause the Veeam ONE Reporting Service to not start. Organizations must update to before applying the hotfix  

Please follow your organization’s patching and testing guidelines to avoid any operational impact.  


  1. Veeam Advisory
  2. Exploitation of Veeam Backup and Replication  
  3. Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America  


Picture of Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Subscribe to our Monthly Newsletter