Unauthenticated credential extraction in Veeam Backup & Replication Cloud Connect

This repository contains a C# proof-of-concept exploit for CVE-2023-27532, a critical vulnerability in Veeam Backup & Replication. The main exploit logic resides in Program.cs, which allows an attacker to connect to a Veeam Backup & Replication service over TCP (default port 9401) and either extract all stored credentials in plaintext or execute arbitrary commands as SYSTEM on the remote server. The exploit uses the Veeam remote invoke service via a net.tcp endpoint, crafting XML payloads to trigger the vulnerability. The repository includes Visual Studio project files, configuration, and references to Veeam DLLs (which must be present to build the exploit). The exploit is operational and requires network access to the vulnerable service. No detection-only scripts are present; the code is a working exploit. The Readme.md provides usage instructions and credits prior research.

This repository is a proof-of-concept (POC) exploit for CVE-2023-27532, a vulnerability in Veeam Backup & Replication. The exploit is implemented in C# (.NET 6.0) and consists of a Visual Studio solution with the main logic in 'CVE-2023-27532/Program.cs'. The exploit connects to the Veeam server's net.tcp API endpoint (default port 9401), abuses unsecured remote procedure calls ('CredentialsDbScopeGetAllCreds' and 'CredentialsDbScopeFindCredentials'), and extracts all stored credentials by deserializing the server's responses. The extracted credentials (usernames and passwords) are printed to the console. The repository includes supporting code for serialization/deserialization and the necessary service interface definitions. No authentication is required to exploit the vulnerability, making it a critical issue for unpatched Veeam servers. The README provides usage instructions, mitigation advice, and references for further technical analysis.