Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label remote code execution Veeam. Show all posts
remote code execution Veeam
Backup CVE CVE exploits CVE vulnerability Cyber Security Domain Flaws Ransomware Gangs Ransomwares remote code execution Veeam

Veeam Fixes Critical Remote Code Execution Bug in Backup & Replication Software

 

Veeam has issued new security patches to address multiple vulnerabilities in its Backup & Replication (VBR) software, including a severe remote code execution (RCE) flaw. Identified as CVE-2025-23121, this particular vulnerability was uncovered by researchers from watchTowr and CodeWhite and impacts only installations that are connected to a domain. 

According to Veeam’s advisory released on Tuesday, the vulnerability can be exploited by any authenticated domain user to execute code remotely on the backup server. The flaw requires minimal attack complexity and affects versions of Veeam Backup & Replication 12 and later. The issue has been resolved in version 12.3.2.3617, made available earlier today. 

Although the vulnerability is confined to domain-joined setups, it poses a significant risk due to the ease with which domain users can leverage it. Alarmingly, many organizations have connected their backup servers to Windows domains, going against Veeam’s own security recommendations. These guidelines suggest using a separate Active Directory Forest for backups and enforcing two-factor authentication on administrative accounts to reduce exposure. 

This is not the first time a serious RCE flaw has been found in Veeam’s software. In March 2025, another vulnerability (CVE-2025-23120) was patched that similarly affected domain-joined installations. Earlier, in September 2024, another VBR vulnerability (CVE-2024-40711) was exploited in the wild, eventually being used to deliver the Frag ransomware. That same flaw was later linked to Akira and Fog ransomware attacks starting in October. Cybercriminals have increasingly targeted Veeam Backup & Replication servers as part of their ransomware campaigns. 

These systems often store critical backups, making them ideal targets for attackers looking to maximize damage. Ransomware operators frequently aim to disable these systems before launching full-scale attacks, making recovery more difficult for the victim. Historically, ransomware groups such as Cuba, as well as financially motivated actors like FIN7—known for collaborating with major ransomware operations like REvil, Maze, Conti, and BlackBasta—have been seen exploiting VBR vulnerabilities. 

With over 550,000 organizations relying on Veeam’s solutions globally, including the majority of Fortune 500 companies and most of the Global 2000, the potential impact of such flaws is significant. These repeated discoveries of critical vulnerabilities highlight the urgent need for enterprises to follow recommended configurations and keep their backup software up to date.
Read more »
Vulnerabilities and Exploits
CVE-2025-23121 patch remote code execution Veeam Veeam Backup & Replication flaw Veeam RCE vulnerability Veeam security update 2025 Vulnerabilities and Exploits

Veeam Issues Urgent Security Patch to Fix Critical RCE Flaw in Backup & Replication Software


Veeam has rolled out crucial security patches addressing multiple vulnerabilities in its Backup & Replication (VBR) software—most notably, a critical remote code execution (RCE) flaw tracked as CVE-2025-23121.

This specific vulnerability, discovered by researchers at watchTowr and CodeWhite, impacts only those VBR installations that are joined to a domain. According to Veeam’s security advisory released on Tuesday, the flaw allows authenticated domain users to execute code remotely on the backup server through relatively simple attack methods. The issue affects Veeam Backup & Replication version 12 and later and has been resolved in version 12.3.2.3617, which was made available earlier today.

Despite the restriction to domain-linked systems, the vulnerability can be exploited by any domain user—posing a serious risk in environments where this configuration exists.

Many organizations still connect their backup servers to Windows domains, contrary to Veeam's best practices. The company advises using a separate Active Directory Forest and enforcing two-factor authentication for administrative accounts.

This is not the first time Veeam has faced such issues. In March, the company addressed another RCE vulnerability (CVE-2025-23120), also targeting domain-connected installations.

Ransomware operators have long focused on VBR servers due to their strategic value. These systems often serve as the gateway to deleting backups and crippling restoration efforts, as BleepingComputer was told by threat actors in prior years.

Recent incidents further highlight the ongoing risk. Sophos X-Ops disclosed in November that CVE-2024-40711, revealed in September, is actively being used to deploy Frag ransomware. This flaw was also weaponized in Akira and Fog ransomware campaigns starting October.

Historically, groups like the Cuba ransomware gang and FIN7—a financially motivated threat group with ties to Conti, REvil, Maze, and BlackBasta—have exploited similar VBR vulnerabilities.

Veeam's software is widely used across industries, serving over 550,000 customers globally, including 82% of Fortune 500 and 74% of Global 2,000 companies.
Read more »
Subscribe to: Posts (Atom)