Veeam, a leading provider of data backup and recovery software, has released urgent security updates to fix a critical vulnerability in its Backup & Replication software. The flaw, identified as CVE-2025-23121, has received a CVSS severity score of 9.9 out of 10, marking it as extremely dangerous.
The vulnerability can allow an attacker to execute malicious code remotely if they gain access as an authenticated domain user. This Remote Code Execution (RCE) bug impacts all builds of Veeam Backup & Replication version 12 up to build 12.3.1.1139. The issue has been fixed in the latest version, 12.3.2 (build 12.3.2.3617).
CVE-2025-23121
CVE-2025-23121 is a security weakness in Veeam Backup & Replication that allows a remote attacker to run arbitrary code on the backup server. However, this attack requires the attacker to already have authenticated access through a domain user account.
The bug was discovered and responsibly reported by security researchers from CODE WHITE GmbH and watchTowr. Their findings were shared with Veeam, which then developed and released the patch in version 12.3.2.
Veeam’s official advisory described the flaw as:
“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.”
This is not the first time Veeam Backup & Replication has faced severe vulnerabilities. In fact, this recent bug appears to relate to another flaw tracked as CVE-2025-23120, also rated 9.9 on the CVSS scale. That issue was patched earlier this year but came under scrutiny by researchers who claimed the fix might be bypassed.
Rapid7, a well-known cybersecurity firm, confirmed that the latest patch likely addresses concerns raised by CODE WHITE in March 2025. According to their analysis, the previous fix may not have been fully effective, making this new update all the more essential.
Alongside CVE-2025-23121, Veeam addressed two more vulnerabilities in its software products:
1. CVE-2025-24286 (CVSS 7.2)
This vulnerability affects Veeam Backup & Replication and allows a user with the Backup Operator role to alter backup job settings in a way that could lead to arbitrary code execution. Although it requires valid credentials, it still poses a moderate-to-high risk in internal environments.
2. CVE-2025-24287 (CVSS 6.1)
This issue was found in Veeam Agent for Microsoft Windows and enables local system users to modify folder contents. If exploited, it could allow privilege escalation, letting an attacker execute code with elevated system permissions. This vulnerability has been patched in Veeam Agent version 6.3.2 (build 6.3.2.1205).
These flaws are particularly concerning because Veeam products are widely used in enterprise environments to handle sensitive backup data, including full system images and file-level backups. If compromised, attackers could gain access to this data or even take over backup servers—potentially causing widespread damage across organizations.
According to Rapid7, more than 20% of their incident response cases in 2024 involved attackers either accessing or exploiting Veeam software after gaining a foothold in a network. This statistic highlights just how often Veeam is targeted in real-world cyberattacks.
Update Immediately
If your organization uses Veeam Backup & Replication, it is strongly recommended to upgrade to version 12.3.2 (build 12.3.2.3617) without delay.
Update Veeam Agent for Windows
For those using Veeam Agent for Microsoft Windows, upgrade to version 6.3.2 (build 6.3.2.1205) to eliminate the risk of local privilege escalation.
Monitor User Activity
Since one of the bugs requires an authenticated user to exploit, it’s essential to monitor domain user activity and apply the principle of least privilege.
Conduct a Vulnerability Scan
Use a security scanner to verify whether your systems still have vulnerable versions of Veeam products installed.
With attackers increasingly targeting backup software as a way into secure networks, it’s more important than ever to keep your backup tools up to date. Veeam has acted quickly to fix these dangerous bugs, but the responsibility now lies with system administrators and cybersecurity teams to apply the patches and secure their environments.
If left unpatched, these vulnerabilities could be exploited by threat actors to launch ransomware attacks, exfiltrate sensitive data, or disrupt business continuity.
Interesting Article : CVE-2023-0386, Critical Linux Vulnerability Exploited in the Wild
Pingback: Cloudflare Blocks Largest-Ever DDoS Attack Powered by Rapperbot & Mirai Botnets