Veeam Backup Patched Critical Vulnerabilities Enabling RCE & Privilege Escalation
Summary ; Security Advisory
Veeam disclosed three critical vulnerabilities affecting its widely deployed backup software. Veeam Backup & Replication is an enterprise-grade data protection solution used to back up, recover and replicate virtual machines, cloud workloads including physical servers.
| OEM | Veeam |
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-23121, CVE-2025-24286, CVE-2025-24287 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Multiple high-impact vulnerabilities have been disclosed in Veeam Backup & Replication and Veeam Agent for Microsoft Windows, impacting versions prior to 12.3.2 and 6.3.2 respectively.
The most critical issue (CVE-2025-23121) may allow a remote code execution (RCE) on the backup server by an authenticated domain user, effectively granting complete control over backup infrastructure.
The vulnerabilities also include risks of unauthorized modification of backup jobs (CVE-2025-24286) and privilege escalation via local directory manipulation (CVE-2025-24287). These flaws could enable attackers to execute arbitrary code or gain elevated permissions.
These flaws pose significant risks to organizations relying on Veeam for data integrity and disaster recovery. The data protection system of an organization may get affected if compromised and threaten domain-joined backup servers.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution via Authenticated Domain User | CVE-2025-23121 | Veeam Backup & Replication | Critical (9.9) |
| Arbitrary Code Execution via Backup Operator Role Abuse | CVE-2025-24286 | Veeam Backup & Replication | High (7.2) |
| Privilege Escalation via Directory Manipulation | CVE-2025-24287 | Veeam Agent for Microsoft Windows | Medium (6.1) |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-23121 | Veeam Backup & Replication 12.3.1.1139 and all earlier v12 builds | A remote code execution vulnerability affecting domain-joined Veeam backup servers. An authenticated domain user may execute arbitrary commands with elevated privileges. | Remote Code Execution |
| CVE-2025-24286 | Veeam Backup & Replication 12.3.1.1139 and earlier | Authenticated users with the Backup Operator role can modify backup job configurations to inject and execute code. | Arbitrary Code Execution |
| CVE-2025-24287 | Veeam Agent for Microsoft Windows 6.3.1.1074 and earlier | Local users can manipulate directory contents leading to code execution with elevated privileges. | Local Privilege Escalation |
Remediation:
Users are strongly advised to apply the following updates to mitigate the risks:
- Upgrade Veeam Backup & Replication to 12.3.2 (build 12.3.2.3617) or later
- Upgrade Veeam Agent for Microsoft Windows to 6.3.2 (build 6.3.2.1205) or later
Here are some recommendations below
- Limit backup server access to trusted users only to reduce the risk of unauthorized control.
- Apply least privilege principles for backup roles so users have only the permissions they need.
- Regularly monitor backup job changes and system logs to detect suspicious activity early.
- Provide security awareness training to staff focusing on backup and recovery best practices.
Conclusion: For Security Best practices
Veeam has released patches to address all three vulnerabilities and urged organizations to update Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) as soon as possible.
For security best practices maintaining up-to-date backup systems, prompt patching and adherence to security best practices are essential to prevent potential exploitation and data compromise.
The critical nature of vulnerabilities demands backup and disaster recovery along with strict access controls and ongoing monitoring as essential tips to safeguard infrastructure that have been backed up from potential attacks.
References:
