Analysis Summary

Veeam has released patches to fix a critical vulnerability in its Backup & Replication software that could enable remote code execution (RCE) by an authenticated domain user. Tracked as CVE-2025-23121 with a CVSS score of 9.9, the flaw affects all earlier version 12 builds, including 12.3.1.1139, and has been addressed in version 12.3.2 (build 12.3.2.3617). The vulnerability was discovered and reported by researchers at CODE WHITE GmbH and watchTowr.

Security firm noted that this patch likely resolves concerns raised by CODE WHITE in March 2025 regarding the potential bypass of a previous patch for CVE-2025-23120, another critical vulnerability with a CVSS score of 9.9.

Additionally, Veeam has addressed CVE-2025-24286 (CVSS score: 7.2), which allows an authenticated user with Backup Operator privileges to modify backup jobs, potentially leading to arbitrary code execution. The company also patched CVE-2025-24287 (CVSS score: 6.1) in Veeam Agent for Microsoft Windows, which allowed local system users to modify directory contents and achieve code execution with elevated privileges. This issue has been fixed in version 6.3.2 (build 6.3.2.1205).

Researchers also highlighted that over 20% of its incident response cases in 2024 involved Veeam, either through direct exploitation or post-foothold attacks, underscoring the software’s attractiveness as a target for threat actors.

Given the critical nature of these vulnerabilities and the history of Veeam software exploitation, customers are strongly urged to update to the latest versions immediately to mitigate risks of unauthorized access, privilege escalation, and potential data compromise.

Impact

• Remote Code Execution
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-23121

• CVE-2025-23120

• CVE-2025-24286

• CVE-2025-24287

Affected Vendors

Remediation

• Refer to Veaam Security Advisory for patch, upgrade, or suggested workaround information.
• Review and restrict domain user access to Veeam Backup servers to reduce exploitation risk.
• Monitor Backup Operator activities to detect unauthorized backup job modifications.
• Conduct regular vulnerability scans to identify unpatched Veeam instances.
• Implement least privilege principles for users interacting with Veeam services.
• Review security advisories from Veeam and apply patches promptly.
• Monitor systems for suspicious activities post-update to ensure patch effectiveness.
• Conduct incident response drills focused on backup system compromise scenarios.
• Isolate backup infrastructure from production networks where feasible to limit attacker access.