Operational Defect Database

BugZero found this defect 160 days ago.

Veeam | kb4523

Vulnerability Scanner Detection Related to CVE-2023-38545

Last update date:


Affected products:

Veeam Backup & Replication

Veeam Agent for Microsoft Windows

Veeam Agent for Linux

Veeam Cloud Connect

Affected releases:


Fixed releases:

No fixed releases provided.



This Veeam KB article was created to address customers' concerns about the detection of libcurl by their security software on machines where the Veeam Transport Service is installed. Libcurl is a component of VMware VDDK (Virtual Disk Development Kit), which Veeam Backup & Replication redistributes to be able to protect VMware vSphere environments. Veeam Backup & Replication includes VDDK with the Veeam Transport Service package, which is deployed on managed machines for data movement purposes. A single Veeam Transport package is used for all situations where any portion of the Veeam Transport Services capabilities would be needed. Therefore, any server with the Veeam Transport Service installed will have VDDK libraries, regardless of whether the machine is part of a VMware vSphere backup infrastructure.

Impact Statement

Veeam Backup & Replication is not vulnerable to CVE-2023-38545 because Veeam Backup & Replication does not use SOCKS5 protocol.

False Positive Alert Mitigation

Mitigation Explanation Mitigation involves the removal of VDDK, which contains the libcurl library, from machines where it is not needed. It is crucial that VDDK not be removed from any machine with a role that requires the capability to communicate with the VMware vSphere environment.  Roles where VDDK must not be removed as it would impact the ability to communicate with the VMware vSphere environment: Veeam Backup Server VMware Backup Proxy Guest Interaction Proxy CDP Proxy Please note that the presence of VDDK on any other Veeam components or on protected machines that do not carry the above roles does not represent even a theoretical threat because VDDK is never used or called from the Veeam code on those machines.

More Information

Veeam plans to update VDDK versions to the ones with a non-vulnerable version of libcurl once the updated VDDK versions are made available by the VDDK supplier (VMware).

Additional Resources / Links


BugZero® Risk Score

What's this?

Coming soon



Learn More