BURSTCritical security vulnerabilities have been discovered in Veeam’s backup software solutions that could allow attackers to execute malicious code remotely on backup servers, posing significant risks to enterprise data protection systems.
The vulnerabilities, assigned CVE numbers 2025-23121, 2025-24286, and 2025-24287, affect widely-used Veeam products and have prompted immediate patching recommendations from security experts.
Critical Remote Code Execution Vulnerability
The most severe vulnerability, CVE-2025-23121, carries a critical CVSS v3.0 score of 9.9 and enables remote code execution on backup servers by authenticated domain users.
This flaw specifically impacts domain-joined backup servers, creating a particularly dangerous attack vector for organizations that integrate their backup infrastructure with Active Directory environments.
Security researchers from watchTowr and CodeWhite reported this vulnerability, highlighting its potential for widespread exploitation in enterprise environments.
The vulnerability’s high severity rating reflects the critical nature of backup systems in organizational infrastructure. Successful exploitation could allow attackers to compromise not only the backup server itself but also potentially gain access to sensitive backup data across the entire organization.
This represents a significant security risk, as backup servers typically contain copies of an organization’s most valuable data assets.
A second significant flaw, CVE-2025-24286, received a high severity rating with a CVSS v3.1 score of 7.2. This vulnerability allows authenticated users with the Backup Operator role to modify backup jobs in ways that could execute arbitrary code.
Nikolai Skliarenko, working with Trend Micro, reported this security issue, which demonstrates how privilege escalation can occur within backup management systems.
This vulnerability is particularly concerning because it exploits legitimate user roles within the backup system. Attackers who gain Backup Operator credentials could manipulate backup jobs to execute malicious code, potentially corrupting backup data or using the backup infrastructure as a launching point for broader network attacks.
The third vulnerability, CVE-2025-24287, affects Veeam Agent for Microsoft Windows with a medium severity CVSS v3.1 score of 6.1. CrisprXiang, working with Trend Micro Zero Day Initiative, discovered this flaw that allows local system users to modify directory contents and achieve arbitrary code execution with elevated permissions.
Veeam Backup & Replication 12.3.1.1139 and all earlier versions 12 builds are affected by the critical and high-severity vulnerabilities. Meanwhile, Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier versions 6 builds are vulnerable to the local privilege escalation issue.
Mitigations
Veeam has released patches to address these vulnerabilities. Organizations should immediately update to Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) to resolve CVE-2025-23121 and CVE-2025-24286. For the Windows Agent vulnerability, users should upgrade to Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205).
Security experts recommend that organizations prioritize these updates given the critical nature of backup infrastructure and the potential for data compromise.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post New Veeam Vulnerabilities Enables Malicious Remote Code Execution on Backup Servers appeared first on Cyber Security News.