Under Attack: How Veeam Backup Servers Became the Most Dangerous Target in Enterprise Cybersecurity

Backup systems exist to be the last line of defense. When ransomware encrypts your files, when a server fails, when a disaster strikes, backup software is what organizations count on to survive. That simple premise is exactly why Veeam Backup and Replication servers have become one of the aggressively targeted pieces of enterprise infrastructure in the world. As watchTowr Labs researcher Sina Kheirkhah put it bluntly in a September 2024 analysis: “There’s no point deploying cryptolocker malware on a target unless you can also deny access to backups, and so, this class of attackers absolutely loves to break this particular software.”

Veeam Software is one of the widely deployed data protection platforms on the planet, trusted by more than 550,000 organizations worldwide, including the majority of the Global 2000. It backs up virtual machines, physical servers, and cloud workloads across environments of every size. That level of trust and adoption, combined with the critical nature of what the software protects, makes it an extraordinarily attractive target for ransomware operators, financially motivated cybercriminals, and state-sponsored espionage groups alike.

Between 2023 and early 2026, a cascading series of critical vulnerabilities in Veeam products were discovered, disclosed, and actively exploited in real-world attacks. Two vulnerabilities in particular, CVE-2023-27532 and CVE-2024-40711, became central to dozens of ransomware incidents. Simultaneously, a newly identified Chinese state-sponsored threat group designated UNC6201 was quietly exploiting a separate but related zero-day vulnerability in backup and recovery infrastructure, going undetected for over a year. Together, these incidents paint a picture of backup infrastructure as a primary attack surface, not a fallback plan.

This article examines the full scope of these threats: the technical mechanics of each vulnerability, the threat actors involved, the real-world attack sequences that unfolded, and what organizations must do to protect themselves.

Understanding the Target: Why Veeam Servers?

To understand why Veeam has become such a consistent target, it helps to understand what a Veeam Backup and Replication server actually holds. At its core, a Veeam server is a central repository for an organization's most sensitive operational data. It stores backup copies of every system it protects, but it also stores the credentials used to access those systems. The Veeam configuration database contains encrypted credentials for every managed host, which means that a single compromised Veeam server can theoretically yield authentication material for an organization's entire infrastructure.

Incident response data makes this priority abundantly clear. Caitlin Condon, director of vulnerability intelligence at Rapid7, noted in October 2024 that “more than 20 percent of Rapid7 incident response cases in 2024 have involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.” In nearly every case, the attacker had already established a foothold in the environment before turning their attention to the Veeam server, treating it as a high-value objective within the network rather than a point of entry. By 2025, this calculus had shifted further. Security firm Cyber Centaurs observed that across healthcare, manufacturing, and technology environments, Veeam servers were being targeted within the first 48 hours of an intrusion, making them a primary objective rather than a secondary one.

Attackers are also exploiting Veeam servers as a data exfiltration point. Because Veeam stores backup images of every protected system, a threat actor who gains access to the backup server can extract far more data than they could by targeting individual production systems. They are effectively pulling a snapshot of the entire organization from a single, often under-monitored source.

CVE-2023-27532: The Credential Harvest

Vulnerability Overview

On March 7, 2023, Veeam published a security advisory disclosing CVE-2023-27532, a high-severity vulnerability affecting Veeam Backup and Replication. The vulnerability carries a CVSS score of 7.5 and exists in the Veeam.Backup.Service.exe process, which by default listens on TCP port 9401.

The core issue is a missing authentication control on the Windows Communication Foundation (WCF) service endpoints exposed by this process. Any unauthenticated user who can reach TCP port 9401 within the backup infrastructure network can query these endpoints and retrieve encrypted credentials stored in the Veeam configuration database. While Veeam initially described the output as encrypted credentials, researchers at Horizon3 and Huntress quickly demonstrated that the underlying API endpoints could be used to extract plaintext usernames and passwords, not merely encrypted values.

Specifically, by invoking the CredentialsDbScopeGetAllCreds and CredentialsDbScopeFindCredentials endpoints, a remote unauthenticated attacker could obtain the usernames and cleartext passwords of every system managed by the Veeam backup server. With those credentials in hand, an attacker could authenticate directly to managed hosts, including domain controllers, ESXi hypervisors, file servers, and any other system Veeam had been configured to protect. The vulnerability affects all Veeam Backup and Replication versions prior to version 12 build 12.0.0.1420 P20230223 and version 11a build 11.0.1.1261 P20230227.

Exploitation in the Wild

Exploitation of CVE-2023-27532 began within weeks of a public proof-of-concept being released by Horizon3 in March 2023. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog in August 2023 and confirmed as actively used in ransomware campaigns.

The financially motivated FIN7 threat group, with connections to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations, was among the first groups linked to exploitation. Security firm Group-IB documented in early 2024 how the EstateRansomware group used CVE-2023-27532 as part of a multi-stage attack chain. The attackers obtained initial access through a compromised Fortinet FortiGate firewall VPN account, pivoted to the failover server, and then exploited the Veeam vulnerability to enable xp_cmdshell on the backup SQL server and create a rogue account named VeeamBkp. They also conducted network discovery, credential harvesting, and deployed a persistent backdoor before ultimately deploying ransomware.

Canadian cybersecurity firm BlackBerry documented a separate incident in mid-2024 in which an unnamed Latin American airline was targeted using Akira ransomware, with CVE-2023-27532 used for initial access. Attackers obtained SSH access, exfiltrated critical data, and deployed ransomware the following day, abusing legitimate tools alongside living-off-the-land binaries to avoid detection. The Akira and Cuba ransomware groups also leveraged this vulnerability across multiple campaigns, confirming it as a reliable initial access vector that remained dangerous long after a patch had been available.

CVE-2024-40711: Unauthenticated Remote Code Execution

Vulnerability Overview

On September 4, 2024, Veeam released a security bulletin disclosing eighteen vulnerabilities across its product lineup, including five critical and thirteen high-severity flaws affecting Veeam Backup and Replication, Veeam ONE, Veeam Service Provider Console, and other products. The most severe among them was CVE-2024-40711, a critical unauthenticated remote code execution vulnerability in Veeam Backup and Replication. The vulnerability carries a CVSS score of 9.8, placing it near the absolute top of the severity scale.

CVE-2024-40711 was discovered by Florian Hauser, a security researcher at Germany-based CODE WHITE, who reported it responsibly to Veeam. In a post on X, CODE WHITE emphasized the severity: “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711—no technical details from us this time because this might instantly be abused by ransomware gangs.” The vulnerability exists in the Veeam RESTful API and stems from a deserialization flaw: the application accepts and processes untrusted, serialized data without adequate validation, allowing an attacker to craft a malicious payload that causes the server to execute arbitrary code. Crucially, the exploitation requires no authentication and no user interaction, meaning an attacker who can reach the Veeam server over the network can achieve full system takeover with a single, low-complexity request.

Security researchers from watchTowr Labs analyzed the vulnerability and determined it was actually composed of two distinct flaws: an improper authorization bug and a deserialization bug. Veeam had partially addressed the improper authorization component in version 12.1.2.172 released in late May 2024, which downgraded the vulnerability to require authentication. The deserialization bug itself was patched in version 12.2.0.334, released September 4, 2024. Researchers noted, however, that even the version 12.2 patch may not fully resolve all aspects of the vulnerability.

The specific exploitation mechanism involves sending a malicious payload to the URI /trigger on port 8000, which causes the Veeam.Backup.MountService.exe process to spawn net.exe. This allows the attacker to execute operating system commands as a high-privileged account directly on the Veeam server.

The Race to Exploit

Both CODE WHITE and watchTowr Labs took the unusual step of withholding proof-of-concept exploit code when they disclosed their findings. WatchTowr researcher Sina Kheirkhah explained their reasoning: “We’re breaking with tradition on this bug by not releasing a full exploit chain. We’re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit.” Despite this restraint, partial exploit details emerged publicly within days of disclosure, and a working exploit was developed by independent researchers within hours of the watchTowr technical writeup being published.

WatchTowr did publish its proof-of-concept code on September 15, 2024, providing eleven days of lead time for administrators to patch before a fully functional exploit was public. By that point, partial exploitation had already been observed. The exploit code demonstrated how an attacker could use the deserialization gadget chain to achieve unauthenticated remote code execution, effectively granting complete control of the Veeam server.

Censys identified nearly 3,000 Veeam Backup and Replication servers exposed directly to the public internet at the time of disclosure, concentrated primarily in Germany and France. Censys researchers warned that the vulnerability was “particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios.” The exposure of these systems, combined with a publicly available exploit, created ideal conditions for mass exploitation.

Ransomware Campaigns: Fog, Akira, and Frag

By early October 2024, Sophos X-Ops began tracking active exploitation of CVE-2024-40711 in ransomware attacks. In a post on Mastodon, the Sophos team stated: “Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware.” Their incident response team documented at least four confirmed cases within a short period, with indicators overlapping across the Fog and Akira ransomware families. The attack sequence was consistent across incidents: attackers obtained initial access using compromised VPN credentials on gateways that lacked multi-factor authentication, then exploited CVE-2024-40711 on the Veeam URI /trigger on port 8000, causing the MountService process to execute net.exe commands that created a local account named point and added it to the Local Administrators and Remote Desktop Users groups. From there, attackers moved laterally and deployed ransomware.

In one documented case, Fog ransomware was deployed on an unprotected Hyper-V server, while the rclone utility was used to exfiltrate data before encryption. The dual exfiltration-and-encryption approach is characteristic of modern double-extortion operations.

By November 2024, a third ransomware family had joined the exploitation wave. Sophos documented attacks involving a previously undocumented ransomware variant called Frag, operated by a cybercriminal group tracked as STAC 5881 using nearly identical tactics, techniques, and procedures to Akira and Fog. A Sophos X-Ops researcher noted that “Frag is executed on the command line with a number of parameters, with one required: percentage of file encryption.” In the Frag attacks, a second rogue account named point2 was also created, suggesting operational iterations from the same access broker or affiliate network. Sophos assessed this as likely evidence of an access broker selling compromised Veeam access to multiple ransomware-as-a-service affiliates operating different ransomware platforms.

CISA formally added CVE-2024-40711 to its Known Exploited Vulnerabilities catalog on October 17, 2024, confirming active exploitation in ransomware campaigns and taking the rare step of specifying the ransomware connection in the catalog entry. The UK's National Health Service issued its own cybersecurity alert about the vulnerability on October 11, 2024, warning that “enterprise backup and disaster recovery applications are valuable targets for cyber threat groups.”

UNC6201: Chinese State-Sponsored Espionage and the Backup Infrastructure Connection

A New Threat Actor Emerges

While ransomware operators dominated the Veeam exploitation headlines, a far more patient and sophisticated campaign was unfolding in parallel. In February 2026, Google's Threat Intelligence Group and Mandiant published research revealing that a previously undocumented Chinese state-sponsored threat cluster, designated UNC6201, had been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. Rich Reece, Manager of Mandiant Consulting at Google Cloud, stated that “the actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage.”

Dell RecoverPoint is an enterprise data replication and disaster recovery appliance designed for VMware environments. Like Veeam, it sits at the heart of an organization's backup and recovery infrastructure, making it a high-value target for a threat actor whose objectives include long-term persistent access and intelligence gathering rather than rapid financial extortion.

The vulnerability exploited by UNC6201, tracked as CVE-2026-22769, carries a perfect CVSS score of 10.0 and involves hardcoded default credentials in the Apache Tomcat Manager configuration file at the path /home/kos/tomcat9/tomcat-users.xml. Dell's security advisory described the impact directly: “This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence.” An attacker who knows or discovers these credentials can authenticate to the Tomcat Manager, upload a malicious WAR file through the /manager/text/deploy endpoint, and execute commands as root on the appliance. This grants complete control of the device without requiring any exploitation of memory corruption or complex vulnerability chaining.

The Overlap with Silk Typhoon

UNC6201 does not operate in isolation. Google Threat Intelligence Group identified notable overlaps between UNC6201 and a separate Chinese threat cluster designated UNC5221, which is associated with the Silk Typhoon state-sponsored group. UNC5221 has been documented exploiting Ivanti zero-days to target government agencies, deploying custom malware including Spawnant and Zipline. While Google does not consider UNC6201 and UNC5221 to be identical, the shared tooling and targeting patterns suggest coordination, shared resources, or common direction within the broader Chinese intelligence apparatus.

CrowdStrike has separately linked the BRICKSTORM malware used by this cluster to attacks on VMware vCenter servers at legal, technology, and manufacturing companies in the United States, tracking this activity under the name Warp Panda. The consistent targeting of virtualization and backup infrastructure across multiple attributed Chinese threat clusters reflects a deliberate strategic priority: gaining persistent access to the systems that underpin enterprise IT operations.

The Malware Arsenal: BRICKSTORM, SLAYSTYLE, and GRIMBOLT

UNC6201 deployed a layered toolkit to maintain persistent access across compromised environments. The initial backdoor deployed was BRICKSTORM, a malware family first documented by Mandiant in April 2024, developed specifically for appliances and edge devices that do not support traditional endpoint detection and response solutions. BRICKSTORM provides command-and-control capability and is designed to remain undetected on infrastructure that lacks the logging and monitoring capabilities of conventional servers.

Alongside BRICKSTORM, the attackers deployed a webshell named SLAYSTYLE, which was used to establish persistent web-based access to the compromised Dell RecoverPoint appliance. Evidence indicates that SLAYSTYLE was deployed as early as mid-2024, providing the threat actor a stable foothold throughout the campaign.

In September 2025, UNC6201 began replacing BRICKSTORM with a new backdoor called GRIMBOLT. Charles Carmakal, CTO and board advisor at Mandiant Consulting, described the evolution: “This is a C# backdoor compiled using native ahead-of-time compilation, making it harder to reverse engineer.” GRIMBOLT is packed with UPX, a compression tool that reduces the size of the native binary produced by AOT compilation. The AOT compilation itself converts the C# code directly to machine language before execution, eliminating the intermediate language metadata that analysts typically use for reverse engineering. This approach significantly improves performance on low-power appliances and makes the backdoor substantially harder to analyze through static analysis techniques. GRIMBOLT provides remote shell capability and uses the same command-and-control infrastructure as the replaced BRICKSTORM payloads. As Google and Mandiant noted in their report, “it’s unclear if the threat actor’s replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners.”

Ghost NICs: A Novel Pivoting Technique

Among the technically significant findings in the UNC6201 investigation was the use of what researchers termed Ghost NICs, a technique not previously documented in Mandiant's investigations. According to Mandiant communications manager Mark Karayan, “UNC6201 uses temporary virtual network ports (AKA ‘Ghost NICs’) to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations.” After compromising a Dell RecoverPoint appliance, the threat actors created temporary virtual network interface cards on VMware ESXi virtual machines running in the same environment. These ghost NICs allowed UNC6201 to pivot from the compromised appliance into internal networks and cloud-hosted SaaS environments, reaching systems that would otherwise have been isolated from the appliance's network segment.

After completing their lateral movement and data collection activities, the attackers deleted the ghost NICs, removing evidence of the pivot technique and making forensic reconstruction of the attack chain significantly more difficult. The use of iptables for single packet authorization provided an additional layer of operational security, allowing the attackers to manage their access without generating easily detectable traffic patterns.

Scope and Duration of the Campaign

The UNC6201 campaign is notable not just for its technical sophistication but for its duration. Exploitation of CVE-2026-22769 began at least as early as mid-2024, and the threat actor maintained persistent access across victim environments for extended periods. Some organizations experienced extended breach windows when accounting for overlapping UNC5221 activity, which CrowdStrike and GTIG have independently traced back to at least 2022. Rich Reece told The Hacker News: “We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown, we recommend that organizations previously targeted by BRICKSTORM look out for GRIMBOLT in their environments.” Researchers emphasized that additional compromised organizations almost certainly exist and have not yet detected the intrusion.

Google Threat Intelligence Group noted that “consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods.” The group assessed with confidence that a significant portion of UNC6201 and UNC5221's combined activity remains unknown, and that both groups are likely developing or have already developed additional undiscovered zero-day vulnerabilities in enterprise technologies. This assessment reflects the groups' demonstrated capability to identify novel exploitation opportunities in infrastructure appliances that security teams routinely overlook.

The Pattern: Backup Infrastructure as a Primary Attack Surface

The Veeam and Dell RecoverPoint campaigns share a unifying strategic logic. Both sets of attackers, whether financially motivated ransomware groups or state-sponsored espionage actors, recognized that backup and recovery infrastructure represents a uniquely high-value and under-defended attack surface. Several factors combine to make this infrastructure persistently vulnerable.

Patch lag is the immediate problem. Unlike production systems where downtime from patching can be managed with planned maintenance windows, backup servers are often treated as systems that should never go offline. Administrators frequently delay patching backup infrastructure because they fear disrupting backup jobs or backup repositories. This creates an extended window of exposure even when patches are available. Rapid7's Caitlin Condon confirmed that “threat groups exploited previous Veeam Backup and Replication vulnerabilities months after disclosure, and almost a year later in one case.” In the case of CVE-2024-40711, Censys security researcher Himaja Motheram observed that the number of internet-exposed Veeam servers remained essentially unchanged weeks after disclosure, dropping from 2,833 to 2,784 exposed instances with no indication that organizations were patching at scale.

Monitoring gaps compound the patching problem. Backup servers are rarely included in security information and event management platforms with the same depth of logging and alerting applied to domain controllers or public-facing servers. When Huntress researchers analyzed the forensic artifacts left by CVE-2023-27532 exploitation, they found that by default, Veeam's logging configuration does not record API calls, meaning that exploitation could leave no trace in default logs. Detecting an attack required either elevated logging verbosity or network-based detection of suspicious traffic to port 9401.

Internet exposure creates the third element of risk. Both Censys and Cyble identified thousands of Veeam Backup and Replication servers directly accessible from the public internet at the time of vulnerability disclosures. Backup servers have no business reason to be reachable from the internet, yet many organizations expose them, either through misconfiguration, VPN routing decisions, or cloud deployments that inadvertently create public interfaces.

The convergence of high-value data, delayed patching, inadequate monitoring, and unnecessary internet exposure makes backup infrastructure a systemically attractive target across the entire threat landscape.

Defensive Recommendations

Patch Immediately and Maintain a Patch Schedule

CVE-2024-40711 is fully remediated in Veeam Backup and Replication version 12.2.0.334 and later. CVE-2023-27532 was patched in version 12.0.0.1420 P20230223 and version 11.0.1.1261 P20230227. Organizations still running unpatched versions face confirmed active exploitation. For Dell RecoverPoint, CVE-2026-22769 is remediated in version 6.0.3.1 HF1. CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog on February 18, 2026. Nick Andersen, Executive Assistant Director for Cybersecurity at CISA, stated the agency is “actively combating the multi-year BRICKSTORM threat campaign” through collaboration with government, industry, and international partners, and urged all organizations to “take decisive steps now to mitigate exposure and prevent compromise.” Administrators who cannot immediately update should apply Dell's remediation script as an interim measure. A recurring patch cycle for backup infrastructure specifically should be established, with the same urgency applied to it as to production systems.

Remove Unnecessary Internet Exposure

No Veeam Backup and Replication server should be directly accessible from the public internet. Firewall rules should block inbound access to all Veeam service ports, including TCP 9401 and TCP 8000, from any untrusted network. Backup servers should be placed on isolated management network segments accessible only through privileged administrative workstations or jump hosts. Cloud-hosted Veeam deployments should be reviewed to ensure that security group or firewall rules restrict access appropriately.

Enforce Multi-Factor Authentication on VPN Gateways

Nearly every ransomware attack involving CVE-2024-40711 began with compromised VPN credentials on gateways lacking multi-factor authentication. MFA on remote access infrastructure is non-negotiable. VPN appliances running outdated software should be updated or replaced, as attackers also targeted outdated VPN clients as part of the same attack chains.

Treat Backup Servers as Tier-Zero Assets

Veeam and similar backup platforms should receive the same security classification as domain controllers and certificate authorities. This means comprehensive logging, continuous monitoring through a SIEM or MDR platform, privileged access workstations for administration, and regular review of accounts and permissions. Logging verbosity on Veeam servers should be increased from default settings to capture API interactions, authentication events, and account creation activity.

Monitor for Indicators of Compromise

Organizations should hunt for the specific artifacts associated with known Veeam exploitation. The creation of local accounts named point or point2 on Veeam servers is a confirmed indicator of ransomware exploitation associated with Akira, Fog, and Frag ransomware. Requests to /trigger on port 8000 and /manager/text/deploy in Tomcat audit logs are indicators of exploitation attempts. CISA, NSA, and the Canadian Centre for Cyber Security have released YARA rules and indicators of compromise for the BRICKSTORM and GRIMBOLT backdoors associated with UNC6201 activity.

Segment and Immutably Store Backups

The 3-2-1 backup rule, maintaining three copies of data on two different media types with one copy offsite, should be implemented with an air-gapped or immutable copy that ransomware cannot encrypt or delete. Veeam supports immutable backup repositories through integration with object storage systems that enforce write-once, read-many (WORM) policies. An attacker who compromises a Veeam server but cannot modify or delete the immutable backup copy loses a significant portion of their leverage.

Conclusion: The Backup Problem Is a Security Problem

The exploitation of Veeam Backup and Replication and Dell RecoverPoint for Virtual Machines represents a maturation in attacker strategy. Threat actors across the full spectrum, from financially motivated ransomware affiliates to patient state-sponsored espionage groups, have recognized that backup infrastructure is not a secondary consideration but a primary objective. The vulnerabilities that enabled these attacks were not exotic or unprecedented. They were the predictable result of unauthenticated API endpoints, hardcoded credentials, and deserialization flaws that the cybersecurity community has been warning about for years.

What has changed is the intentionality with which attackers pursue backup systems. CVE-2023-27532 was exploited for more than a year by multiple distinct threat actors. CVE-2024-40711 was weaponized within weeks by at least three different ransomware families. UNC6201 maintained persistent access to victim environments for over a year through a zero-day vulnerability that went undetected. In each case, the common thread is that backup infrastructure was treated by defenders as a lower priority than production systems, while attackers treated it as the highest priority target in the environment.

For cybersecurity educators, practitioners, and organizational leaders, these incidents carry a clear message: the security posture of backup infrastructure must be treated as equivalent to the security posture of the critical systems in the environment. Patching, monitoring, network segmentation, multi-factor authentication, and immutable storage are not optional hardening measures. They are the baseline requirements for protecting the systems that everything else depends on. The organizations that learn this lesson from these incidents will be far better positioned than those that learn it from their own breach.