Veeam has urgently patched three critical vulnerabilities in its Backup & Replication software, including a remote code execution (RCE) flaw (CVE-2025-23121) with a maximum CVSS v3.0 score of 9.9.
These vulnerabilities threaten organizations using domain-joined backup servers and could enable attackers to compromise the enterprise data protection system.
Below is a technical breakdown of the risks and mitigation strategies.
1. Critical RCE Vulnerability in Domain-Joined Servers
The most severe flaw, CVE-2025-23121, allows authenticated domain users to execute arbitrary code on Veeam Backup Servers.
This affects Veeam Backup & Replication 12.3.1.1139 and earlier versions.
Key risks include:
- Exploitation via low-complexity attacks, requiring only standard domain user credentials.
- Compromise of backup integrity and lateral movement across networks.
- Alignment with ransomware gangs’ targeting patterns, as observed in recent Akira and Fog ransomware campaigns.
Security researchers at watchTowr and CodeWhite emphasized the danger of domain-joined configurations, which Veeam explicitly advises against in its security best practices.
2. Backup Operator Privilege Escalation
The high-severity CVE-2025-24286 (CVSS 7.2) enables Backup Operators to manipulate backup jobs for arbitrary code execution.
Reported by Nikolai Skliarenko (Trend Micro), this flaw highlights risks in multi-admin environments:
- Attackers with stolen Backup Operator credentials can corrupt backups or use servers as launch pads for attacks.
- Affected versions include Veeam Backup & Replication 12.3.1.1139 and earlier.
This vulnerability underscores the need for strict access controls and auditing of privileged accounts.
3. Local Privilege Escalation in Windows Agent
The medium-severity CVE-2025-24287 (CVSS 6.1) allows local system users to tamper with directories and execute elevated code on Veeam Agent for Microsoft Windows.
Key details:
- Impacts version 6.3.1.1074 and earlier.
- Discovered by CrisprXiang via Trend Micro’s Zero Day Initiative.
- Requires physical or remote desktop access but poses risks in shared environments.
Risk Factor Comparison
| CVE ID | Severity | CVSS Score | Affected Products | Mitigation Build |
|---|---|---|---|---|
| CVE-2025-23121 | Critical | 9.9 | Veeam Backup & Replication ≤12.3.1.1139 | Update to 12.3.2.3617 |
| CVE-2025-24286 | High | 7.2 | Veeam Backup & Replication ≤12.3.1.1139 | Update to 12.3.2.3617 |
| CVE-2025-24287 | Medium | 6.1 | Veeam Agent for Windows ≤6.3.1.1074 | Upgrade to 6.3.2.1205 |
Mitigation and Best Practices
Veeam mandates immediate patching to prevent exploitation, particularly given ransomware groups’ historical targeting of backup systems.
Additional recommendations include:
- Isolate backup servers: Avoid domain-joined configurations and use separate Active Directory forests.
- Enforce least privilege: Restrict Backup Operator roles and implement multi-factor authentication (MFA).
- Segment networks: Limit backup server access to trusted IPs and disable unused services.
Organizations must prioritize these updates, as unpatched systems remain vulnerable to reverse-engineered exploits.
With over 82% of Fortune 500 companies relying on Veeam, swift action is critical to safeguarding global data infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=New+Veeam+Vulnerabilities+Allow+Malicious+Remote+Code+Execution+on+Backup+Servers){kind=link}