Authenticated Remote Code Execution Vulnerability via Veeam Backup & Replication

Authenticated Remote Code Execution Vulnerability via Veeam Backup & Replication

CVE-2025-23121 is a critical vulnerability discovered in Veeam Backup & Replication (VBR) that affects domain-joined systems. This vulnerability allows an authenticated but limited privileged domain user to execute unauthorized remote code (RCE) on a VBR server.

The root cause of the vulnerability is the failure of the Veeam Backup server to adequately isolate security boundaries during Windows domain integration. In particular, components that interact with Veeam services are vulnerable to user input at certain checkpoints when authenticated via the domain.

If an attacker already has a domain account (for example, a low-privilege service or user account), they can trigger this vulnerability to run their own commands on the VBR server. This creates significant risk in scenarios such as:

• Unauthorized access to backup data
• Modification of critical configuration files
• Installation of ransomware
• Lateral movement to other network Systems

Affected Systems

Veeam Backup & Replication:
All 12.x series versions 12.3.1.1139 and older, as well as older versions out of official support.

Also three patches in conjunction:

• CVE‑2025‑24286 (CVSS 7.2) – Allows backup operator role users to create RCEs
• CVE‑2025‑24287 (CVSS 6.1) – Allows local privilege escalation via Windows Agent.

IoC’s

-

Recommended Solution(s)

• Veeam Backup & Replication needs to be upgraded to 12.3.2 build12.3.2.3617.
• Windows Agent needs to be updated to 6.3.2 build 6.3.2.1205.

CVE / CWE

CVE-2025-23121

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2025-23121
• https://www.veeam.com/kb4743

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.