Veeam One
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Veeam One.
By the Year
In 2026 there have been 0 vulnerabilities in Veeam One. One did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 6 | 7.13 |
| 2023 | 4 | 5.95 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 0.00 |
It may take a day or so for new One vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Veeam One Security Vulnerabilities
XSS in Reporter Widgets via HTML injection
CVE-2024-42020
5.4 - Medium
- September 07, 2024
A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widgets that allows HTML injection.
XSS
RCE via Veeam ONE Agent service creds
CVE-2024-42024
8.8 - High
- September 07, 2024
A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.
Improper Access Control: Remote Privilege Escalation (CVE-2024-42023)
CVE-2024-42023
8.8 - High
- September 07, 2024
An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely.
Incorrect Permission Assignment Enables Config File Modification (IPAM)
CVE-2024-42022
5.3 - Medium
- September 07, 2024
An incorrect permission assignment vulnerability allows an attacker to modify product configuration files.
Improper Access Control: Credentials Exposed via Valid Tokens
CVE-2024-42021
6.5 - Medium
- September 07, 2024
An improper access control vulnerability allows an attacker with valid access tokens to access saved credentials.
Veeam Reporter Service NTLM Hash Exposure via User Interaction
CVE-2024-42019
8 - High
- September 07, 2024
A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication.
Veeam ONE Read-Only View Dashboard Schedule Info Disclosure
CVE-2023-41723
4.3 - Medium
- November 07, 2023
A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.
Unprivileged NTLM Hash Leak via Veeam ONE Web Client
CVE-2023-38549
5.4 - Medium
- November 07, 2023
A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role.
XSS
Veeam ONE Web Client NTLM Hash Leak via Unprivileged Access
CVE-2023-38548
4.3 - Medium
- November 07, 2023
A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
Veeam ONE RCE via SQL Server Connection Info Leak
CVE-2023-38547
9.8 - Critical
- November 07, 2023
A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587
CVE-2020-10914
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PerformHandshake method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10400.
Marshaling, Unmarshaling
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587
CVE-2020-10915
- April 22, 2020
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.
Marshaling, Unmarshaling
