Veeam Software has disclosed three critical security vulnerabilities in its Backup & Replication and Agent for Windows products that could enable attackers to execute arbitrary code on enterprise backup servers and manipulate data protection infrastructure.
The vulnerabilities – tracked as CVE-2025-23121, CVE-2025-24286, and CVE-2025-24287 – affect nearly all current installations using version 12.x and 6.x releases respectively, with patches now available in updated builds 12.3.2 and 6.3.2.
The most severe vulnerability (CVE-2025-23121) carries a CVSS v3.0 score of 9.9 and enables remote code execution (RCE) on domain-joined Veeam Backup Servers through authenticated domain user accounts.
Security researchers from watchTowr and CodeWhite discovered that malicious actors could exploit this vulnerability to gain complete control over backup management systems, potentially compromising an organization’s entire data protection infrastructure.
This vulnerability specifically impacts Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds, affecting both on-premises and cloud-based deployments using Active Directory integration.
The attack vector requires domain authentication but doesn’t necessitate privileged credentials, meaning any compromised domain account could serve as an entry point.
Successful exploitation could enable attackers to manipulate backup data, disrupt recovery capabilities, or establish persistent access to critical infrastructure.capabilities, or establish persistent access to critical infrastructure.
Veeam Vulnerabilities
A secondary high-severity vulnerability (CVE-2025-24286) with a CVSS score of 7.2 allows Backup Operators to modify job configurations for arbitrary code execution.
Discovered by Trend Micro’s Nikolai Skliarenko, this vulnerability in Veeam Backup & Replication enables privilege escalation through malicious job modifications that execute during backup or replication processes.
The third vulnerability (CVE-2025-24287) affects Veeam Agent for Microsoft Windows versions 6.3.1 and earlier, permitting local users to manipulate directory contents for elevated code execution.
Reported by CrisprXiang through Trend Micro’s Zero Day Initiative, this medium-severity vulnerability (CVSS 6.1) could enable attackers with local system access to compromise backup agent functionality.
Mitigations
Veeam has released updated builds (12.3.2.3617 for Backup & Replication and 6.3.2.1205 for Windows Agent) addressing all three vulnerabilities.
The company emphasizes that unsupported versions likely remain vulnerable and recommends immediate patching given the risk of reverse-engineered exploits.
Organizations should prioritize updating domain-joined backup servers first, followed by agents and standalone components.
Veeam’s security team advises reviewing Active Directory permissions for backup service accounts and implementing network segmentation for backup infrastructure.
The disclosure follows Veeam’s Vulnerability Disclosure Program protocols, reflecting increased scrutiny of enterprise backup systems as high-value attack targets.
As ransomware groups increasingly target backup systems to prevent recovery, these vulnerabilities underscore the critical need for timely patch management in data protection environments.
Security analysts recommend complementing updates with multi-factor authentication for backup administrative interfaces and continuous monitoring of backup job integrity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
