Secure. Scalable. Enterprise Technology.
Back to All Advisories
Critical Active ACT-2026-003 TLP:WHITE

Advisory: Ransomware Groups Actively Exploiting Veeam Backup Vulnerability (CVE-2023-27532)

Published December 1, 2025 Disclosed December 1, 2025 By stampede Vulnerability
Advisory Details

Overview

Axion Core Technologies is issuing a critical advisory warning Nigerian organisations of active exploitation of CVE-2023-27532, a critical vulnerability in Veeam Backup & Replication. Multiple ransomware groups — including the Estate and Phobos ransomware operations — have been observed using this vulnerability as their primary initial access vector in enterprise network breaches.

Given the widespread use of Veeam across Nigerian financial services, government, and enterprise environments, organisations that have not applied available patches are at immediate and significant risk.

Vulnerability Details

CVE-2023-27532 is a critical unauthenticated information disclosure vulnerability in Veeam Backup & Replication. It allows an unauthenticated attacker to request encrypted credentials stored in the Veeam configuration database, which can then be used to gain administrative access to the backup server and, from there, pivot laterally into the broader network.

CVSS Score: 7.5 (High) — however, active ransomware exploitation elevates the operational risk rating to Critical.

Affected Products

  • Veeam Backup & Replication versions earlier than 12.0.0.1420 (V12) and 11.0.1.1261 P20230227 (V11)
  • All Windows-based Veeam deployments with TCP port 9401 exposed to untrusted networks

Observed Threat Actor Activity

The Estate ransomware group has been leveraging CVE-2023-27532 to gain initial access, extract credentials, and deploy ransomware payloads across enterprise environments. The Phobos ransomware affiliate network has also been confirmed using this vulnerability, with activity observed in the West African region including Nigeria as early as 2023.

Attack Chain

  1. Attacker scans for internet-exposed Veeam installations on TCP port 9401
  2. Unauthenticated request extracts encrypted credentials from the Veeam database
  3. Attacker decrypts credentials and authenticates to the Veeam server with administrative access
  4. From the backup server, attacker pivots laterally using harvested domain credentials
  5. Ransomware payload deployed across the network; backup data is targeted and deleted to prevent recovery
⚠  Affected Systems & Products
  • Veeam Backup & Replication v11 (before 11.0.1.1261 P20230227)
  • Veeam Backup & Replication v12 (before 12.0.0.1420)
  • All Windows deployments with TCP port 9401 exposed
✔  Mitigation & Remediation
  1. IMMEDIATE ACTIONS:
  2. Patch Veeam Backup & Replication to version 12.0.0.1420 or 11.0.1.1261 P20230227 immediately.
  3. Block external access to TCP port 9401 at the firewall level — this port should never be exposed to the internet.
  4. Audit Veeam credentials and rotate all associated passwords immediately.
  5. Review recent authentication logs on your Veeam server for evidence of unauthorised access.
  6. Isolate Veeam infrastructure from the general network using network segmentation.
  7. Ensure backup data is stored in an immutable or air-gapped location that ransomware actors cannot reach.
  8. Enable multi-factor authentication on all Veeam management interfaces.
  9. If compromise is suspected, engage incident response immediately — do not power off affected systems before forensic imaging.
External References
Disclaimer: This advisory is provided for informational purposes only. Axion Core Technologies makes no warranties regarding the accuracy or completeness of the information contained herein. Organisations should conduct their own assessment and implement appropriate security measures.

We are united by a shared commitment to delivering excellence for every client.