Exploitable Storage and Backup Vulnerabilities: Growing Threat to Enterprise Security
By Yaniv Valik, VP, product management, Continuity Software, Inc.
This is a Press Release edited by StorageNewsletter.com on May 12, 2025 at 2:01 pm
By Yaniv Valik, VP, product management, Continuity Software, Inc.
On May 1st, enterprise backup vendor, Commvault revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928.
That wasn’t the only vulnerability making headlines. A few days earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added a significant security flaw affecting Broadcom’s Brocade Storage Fabric OS to its authoritative catalog, underscoring the urgent need for remediation across enterprise and government environments.
The vulnerability has the potential to allow local attackers with administrative privileges to execute arbitrary code with full root access.
This escalation of privilege could enable a complete compromise of the underlying storage network infrastructure, posing significant risks to data integrity and operational continuity.
Not Isolated Cases: A Growing List of Exploited Vulnerabilities
The exploitation of Commvault and Brocade is far from isolated incidents. In recent months, multiple vulnerabilities in storage and backup solutions have been discovered and actively exploited. Examples include:
- Veeam Backup & Replication:
CVE-2022-26500 and CVE-2022-26501: These vulnerabilities allow remote, unauthenticated attackers to execute arbitrary code. They were actively exploited by ransomware groups like Monti and Yanluowang shortly after discovery, emphasizing the importance of timely patching - MinIO:
CVE-2023-28432: This vulnerability in MinIO’s Multi-Cloud Object Storage framework allows attackers to return all environment variables, including sensitive information like MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.
Attackers were caught exploiting the above MinIO vulnerability, as reported by CISA. - Veritas Backup Exec:
CVE-2021-27876: This vulnerability allows unauthorized file access through the Backup Exec Agent.
This vulnerability had been actively exploited, highlighting the risks associated with unpatched backup solutions. - Oracle ZFS Storage Appliance:
CVE-2020-14871: Easy-to-use, actively exploited vulnerability that allows unauthenticated attacker to compromise the system, causing high impacts to confidentiality, integrity, and availability.
Why Storage and Backup Security Matters More Than Ever
From ransomware to insider threats, if your primary storage is compromised, hundreds or thousands of workloads — databases, containers, VMs — can go down in a flash.
Worse still, if your backup systems are compromised, there’s no Plan B. No way to recover. You’re out of options.
On average, each enterprise storage or backup device has 10 vulnerabilities, including 5 critical or high-severity ones. Yet most organizations have limited visibility into these weaknesses.
Two Key Steps to Fortify Your Storage and Backup Systems:
1. Build a Secure Configuration Baseline
Define secure settings per product (e.g. Dell, Pure, Hitachi Vantara, NetApp, Rubrik, Cohesity) – and ensure they’re reviewed and refreshed regularly. A secure baseline includes both system-level and security controls that reflect vendor guidance and real-world attack patterns.
2. Perform a Gap Assessment
|
# |
Question |
|
Vulnerability and Patch Management |
|
|
1 |
Ability to scan our Storage and Backup appliances? |
|
2 |
Authenticated scan for vulnerabilities and missing patches ? Runs Platform-Specific APIs / Commands? |
|
3 |
Automatic detection and remediation validation? (Patch / mitigating configuration) |
|
4 |
Solid inventory of all Storage and Backup arrays, appliances, nodes and software? |
|
Security Baseline, Configuration Compliance and Drift Management |
|
|
5 |
Defined target system and security settings for Storage and Backup Platforms? |
|
6 |
Repeatable way to assess security misconfigurations? Continuous drift detection? |
|
Knowledge |
|
|
7 |
Expertise in securing Storage and Backup technologies? |
|
8 |
Researched security best practices and hardening instructions for Storage and Backup Platforms? |
Gap assessments surface weak spots you didn’t know existed.
What a Complete Storage and Backup Security Program Looks Like
Storage and backup systems are your organization’s most critical — and ironically most overlooked — assets. They deserve the same security rigor as endpoints, networks, and apps.
A well-architected Security Posture Management plan for storage and backups includes:
- Vulnerability management tailored to the environment
- Secure configuration enforcement
- Real-time anomaly detection (block and file-level)
- Compliance mapping (PCI DSS, NIST, ISO, HIPAA, etc.)
- Integration with tools like ServiceNow, Qualys/Rapid7/Tenable, CyberArk, CyberSense, Varonis, and others
StorageGuard – by Continuity – is a security posture management solution for storage and backups, helping to ensure these systems are securely configured, and compliant with industry and security standards.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage, backup and data protection systems – including Dell, NetApp, Hitachi Vantara, Pure, Rubrik, Commvault, Veritas, HPE, Brocade, Cisco, Veeam, Cohesity, IBM, Infinidat, VMware, AWS and Azure.
Click to enlarge
Resources:
See StorageGuard in Action 3-minute tour of StorageGuard (registration required)
Dual Authorization in Storage and Backup Systems: A Technical Guide
Best Practices for Setting Secure Configuration Baselines for your Storage & Backup Systems – Part1
Where Vulnerability Scanners Fall Short (Hint: Its Related to Your Storage & Backup Environment)
Establishing Secure Configuration Baselines: Best Practice Guide for Storage & Backup Systems (registration required)
Subscribe to our free daily newsletter
