Veeam released a security advisory to address three vulnerabilities impacting its domain-joined Backup and replication systems. Tracked as CVE-2025-23121, CVE-2025-24286, and CVE-2025-24287, the vulnerabilities may lead to code execution upon successful exploitation.
Veeam Backup & Replication is one of the industry-leading backup, recovery, and data security solutions for all workloads, both on-premises and in the cloud. The software provides secure, robust, and reliable data protection. With a software-defined, hardware-independent solution, the software can eliminate downtime with instant recovery, protect from cyber threats with native immutability, and use validated backups.
CVE-2025-23121
Security researchers at watchTowr and CodeWhite discovered the vulnerability. It has a critical severity rating of 9.9 and a CVSS score of 9.9. The vulnerability may allow an authenticated domain user to execute remote code on the vulnerable Backup Server.
CVE-2025-24286
Nikolai Skliarenko with Trend Micro discovered the vulnerability. It has a high severity rating, with a CVSS score of 7.2. The vulnerability may allow an authenticated user with the Backup Operator role to modify backup jobs, which can lead to arbitrary code execution.
CVE-2025-24287
CrisprXiang, working with Trend Micro Zero Day Initiative, discovered the vulnerability. It has a medium severity rating and a CVSS score of 6.1. The vulnerability may allow local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.
Affected Versions
The vulnerabilities affect Veeam Backup & Replication 12.3.1.1139 and all earlier versions 12 builds.
Mitigation
Users must upgrade to Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) to patch the vulnerabilities.
Please refer to the Veeam Security Advisory (KB4743) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 383390 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.veeam.com/kb4743
