Veeam Backup & Replication Vulnerability - Seclists Advisory

On October 9, 2015, a security advisory signed by Pasquale “sid” Fiorillo, Francesco “ascii” Ongaro, and Antonio “s4tan” Parata was distributed on the Bugtraq mailing list and published on Seclists.org, regarding a serious vulnerability in Veeam Backup & Replication software versions 6, 6.5, 7, and 8. The analysis, resulting from a penetration test conducted by ISGroup SRL for a client, highlighted the exposure of administrative credentials in logs, readable even by non-privileged users. The document credits Ongaro as co-author of the discovery and technical disclosure, reporting that the vulnerability was subsequently corrected by the vendor with Veeam B&R 8.0 Update 3. ISGroup is also explicitly cited as the business entity responsible for the discovery and as a reference point for high-value offensive activities.