A 2023–2024 CVE Analysis of Leading Backup Vendors
Backup software is supposed to be your safety net when ransomware strikes — but what happens when the backup solution itself is the first thing to get compromised?
Over the past two years, backup software and hardware appliances from top vendors have seen a steady stream of critical and high-severity vulnerabilities, many of which could allow attackers to escalate privileges, steal credentials, or even execute code remotely on backup infrastructure. These are not theoretical risks. Some of them have been actively exploited in the wild.
In this deep dive, we explore the publicly disclosed CVEs from March 2023 to March 2025 for the major backup vendors:
- Dell (PowerProtect, Avamar, NetWorker)
- Veritas (NetBackup)
- Cohesity
- Rubrik
- Commvault
- Veeam
- Arcserve
- IBM (Spectrum Protect)
- Acronis
We analyzed medium, high, and critical severity CVEs disclosed in public sources like MITRE, NVD, and vendor advisories.
CVE Comparison Table: 2023 vs. 2024
| Vendor | 2023 – Critical | 2023 – High | 2023 – Medium | 2024 – Critical | 2024 – High | 2024 – Medium |
|---|---|---|---|---|---|---|
| Dell | 3 | 1 | 1 | 3 | 2 | 1 |
| Veritas | 1 | 3 | 0 | 0 | 2 | 1 |
| Cohesity | 0 | 0 | 1 | 0 | 0 | 0 |
| Rubrik | 0 | 0 | 0 | 1 | 0 | 0 |
| Commvault | 1 | 1 | 0 | 0 | 0 | 0 |
| Veeam | 0 | 1 | 0 | 1 | 3 | 5 |
| Arcserve | 4 | 0 | 0 | 3 | 0 | 0 |
| IBM | 1 | 2 | 1 | 1 | 3 | 2 |
| Acronis | 1 | 2 | 2 | 0 | 2 | 2 |
Note: This table focuses on backup-related products only. Counts reflect publicly available CVEs as of March 2025.
The TL;DR Summary
- Veeam and Arcserve had the most critical CVEs, some of which were actively exploited in ransomware campaigns.
- Acronis and Commvault saw significant vulnerabilities driven by third-party components (e.g. Apache ActiveMQ, libwebp, etc.).
- Veritas, Dell, and IBM had frequent disclosures but mostly with local or authenticated access required.
- Cohesity and Rubrik had very few vulnerabilities disclosed — though one Rubrik flaw in 2024 was very serious.
- Many vendors patched quickly, but the real-world risk persists because many organizations delay applying security updates.
Vendor-by-Vendor Breakdown
🔒 Dell EMC
Dell’s PowerProtect and Avamar systems saw multiple critical advisories, mostly due to embedded third-party components like cURL, OpenSSL, and log libraries.
- In both 2023 and 2024, Dell released rollups with multiple CVEs including remote code execution bugs via outdated libraries.
- Example: DSA-2023-262 covered several CVEs in Avamar and NetWorker related to privilege escalation and RCE.
🟢 Takeaway: Dell releases cumulative security patches frequently. Stay on top of update schedules, especially if using Data Domain or PowerProtect appliances.
🔒 Veritas NetBackup
Veritas had a rough 2023:
- CVE-2023-40256 (Critical): Improper access control in Snapshot Manager allowing unauthorized operations via RabbitMQ.
- CVE-2023-28758 and 28759: Arbitrary file write and DLL hijacking, both high severity.
- In 2024, the disclosures shifted to Windows agent vulnerabilities, like CVE-2024-33672, which allowed file deletions.
🟡 Takeaway: Most Veritas issues required some level of authenticated access, but could be leveraged by attackers with lateral movement.
🔒 Cohesity
Cohesity had a single medium-severity CVE in the last two years:
- CVE-2023-33295: TLS cert validation gap that allowed man-in-the-middle attacks.
🟢 Takeaway: Either very secure or under-examined. No high/critical CVEs disclosed in public. A good sign, but don’t get too comfortable.
🔒 Rubrik CDM
- CVE-2024-36068: A critical RCE in Rubrik CDM, allowing remote unauthenticated attackers to execute arbitrary code.
🟠 Takeaway: Only one major issue reported in 2 years, but it was very serious. Rubrik patched quickly, but systems running outdated versions remain vulnerable.
🔒 Commvault
Commvault faced two key problems in 2023:
- CVE-2023-46604: A critical vulnerability in Apache ActiveMQ (used in Commvault Communications Service).
- CVE-2023-4863: The infamous
libwebpbug, could be triggered if image previewing was enabled.
🟡 Takeaway: Both vulnerabilities were in third-party libraries, but embedded in Commvault’s product stack — highlighting the risk of supply chain vulnerabilities.
🔥 Veeam
- CVE-2023-27532 (High): Stolen credentials via unprotected API — actively exploited by ransomware groups like FIN7.
- CVE-2024-40711 (Critical): Remote code execution — unauthenticated, network accessible.
- Plus several high and medium bugs in 2024 like CVE-2024-40710, 42023, 42024.
🔴 Takeaway: Veeam is a high-value target. Make patching a top priority and monitor logs for abnormal access behavior.
🔥 Arcserve UDP
2023 was rough:
- CVE-2023-26258, 41998, 41999, 42000: Multiple unauthenticated RCEs, authentication bypass, path traversal — all scored 9.8 Critical.
In 2024:
- CVE-2024-0799, 0800, 0801: More critical bugs in UDP management console.
🔴 Takeaway: Arcserve had some of the worst vulnerabilities in backup software. If you run UDP, make sure you’re updated to the latest hotfix version.
🟡 IBM Spectrum Protect
IBM saw a mix of local privilege escalation and third-party library CVEs:
- CVE-2023-39320 and CVE-2024-24787 (Critical): Go and Golang HTTP/2 vulnerabilities bundled in Spectrum Protect Plus updates.
- Multiple high CVEs affecting Backup-Archive client and Protect Plus containers.
🟡 Takeaway: IBM releases huge patch rollups that address a ton of CVEs at once. Don’t underestimate them — scan patch notes carefully.
🔥 Acronis Cyber Protect
- CVE-2023-45249 (Critical): Default admin password in Acronis Cyber Infrastructure — actively exploited in the wild.
- Other notable flaws: CVE-2024-34010, 55543 – local privilege escalation.
🔴 Takeaway: Acronis had a major oops with default credentials — and attackers noticed. Patch immediately if you use Cyber Infrastructure.
Trends and Final Thoughts
- Backup infrastructure is a prime target for attackers.
- 2023 was the worse year — far more critical CVEs were found, especially in Arcserve, Veeam, Acronis.
- Third-party components (ActiveMQ, OpenSSL, etc.) remain a recurring theme.
- Some vendors (Rubrik, Cohesity) have a clean record — or just haven’t been under as much scrutiny yet.
- Patch latency is still a problem: several CVEs were exploited months after patches were released.
Top 5 Security Tips for Backup Admins
- Patch fast — backup servers must be treated as Tier-1 assets.
- Air-gap or isolate your backup networks whenever possible.
- Subscribe to vendor advisories — don’t rely on CVE databases alone.
- Use SIEM integrations to monitor for backup job anomalies or unauthorized access.
- Test your recovery — don’t assume you’re safe just because backups exist.
