Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations.
Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam's best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication.
In March, Veeam patched another RCE vulnerability (CVE-2025-23120) in Veeam’s Backup & Replication software that impacts domain-joined installations.
Ransomware gangs have also told BleepingComputer years ago that they always target VBR servers because they simplify stealing victims’ data and block restoration efforts by deleting backups before deploying the ransomware payloads on the victims’ networks.
As Sophos X-Ops incident responders revealed in November, another VBR RCE flaw (CVE-2024-40711) disclosed in September is now being exploited to deploy Frag ransomware.
The same vulnerability was also used to gain remote code execution on vulnerable Veeam backup servers in Akira and Fog ransomware attacks starting in October.
In the past, the Cuba ransomware gang and FIN7, a financially motivated threat group known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs, were also observed exploiting VBR vulnerabilities.
Veeam's products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.
Why IT teams are ditching manual patch management
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Related Articles:
Trend Micro fixes critical vulnerabilities in multiple products
Sitecore CMS exploit chain starts with hardcoded 'b' password
Exploit details for max severity Cisco IOS XE flaw now public
Hackers are exploiting critical flaw in vBulletin forum software
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
