No items found.
June 18, 2025
·
0
Minutes Read

Veeam Backup & Replication: Critical RCE Patched

Advisory
June 18, 2025
·
0
Minutes Read

Veeam Backup & Replication: Critical RCE Patched

This is some text inside of a div block.
This is some text inside of a div block.
·
0
Minutes Read
Kudelski Security Team
Find out more
table of contents
Share on
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Summary

On June 1 7, data resilience vendor Veeam released security updates to fix three vulnerabilities: one critical severity RCE and one high severity ACE vulnerability in Backup & Replication (VBR), as well as a medium severity local privilege escalation bug affecting the Windows Veeam agent. Importantly, successful exploitation first requires authentication in all three cases.

Affected Systems and/or Applications

ProductAffected Versions
Veeam Backup & Replication1 2, 1 2.1 , 1 2.2, 1 2.3, 1 2.3.1
Veeam Agent for Microsoft Windows6.0, 6.1, 6.2, 6.3, 6.3.1

Veeam notes in the advisory that “unsupported versions are not tested, but are likely affected and should be considered vulnerable.”

Technical Details / Attack Overview

CVE-2025-23121 (VBR, Critical/9.9):

  • The most severe of the vulnerabilities patched in the latest update with a 9.9 CVSS score, this bug only affects domain-joined backup servers (notably, this conflicts with Veeam’s best practice recommendations) and enables any authenticated domain user to execute code on the VBR server remotely.

CVE-2025-24286 (VBR, High/7.2):

  • Still significant, this vulnerability allows an authenticated user with the Backup Operator role to modify backup jobs, which can result in arbitrary code execution.

CVE-2025-24287 (Veeam Agent for Windows, Medium/6.1):

  • Allows local system users to execute arbitrary code with elevated permissions by modifying specific directory contents.

Mitigation

  • Patch VBR to the latest version, 12.3.2 (build 12.3.2.3617).
  • If your VBR server is joined to your production Active Directory domain, consider adjusting your deployment to ensure it doesn’t depend on the environment it is meant to protect.
  • Suggested in the best practice document are a separate management workgroup, or management domain in a separate forest, for Veeam components.
  • Patch the Windows agent to the latest version, 6.3.2 (build 6.3.2.1205)

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Investigation of threat hunting possibilities is ongoing.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Qualys IDs: (None at time of writing)

Tenable IDs: (None at time of writing)

References

https://www.bleepjngcomputer.com/news/security/new-veeam-rce-flaw-lets-domain-users-hack-backupz servers/
https://cybersecuritynews.com/veeam-vulnerabilities/
https://www.veeam.com/kb4743

Related Post
July 23, 2025
Security Advisory:
July 23, 2025
Kudelski Security Team

Microsoft SharePoint On-Premise Vulnerability (CVE-2025-53770) Under Active Exploitation

July 14, 2025
Security Advisory:
July 14, 2025
Kudelski Security Team

Adversary Infrastructure and Indicators Behind the SAP NetWeaver 0-Day Exploitation

July 7, 2025
Security Advisory:
July 7, 2025
Kudelski Security Team

Persistent Exploitation of ASP.NET Components Fuels Remote Code Execution Attacks