Multiple security vulnerabilities patched in Veeam Backup & Replication, one critical

Veeam has patched multiple security vulnerabilities in their backup and replication software.

Vulnerabilities summary

• CVE-2025-23121 (CVSS score 9.9) - A vulnerability in Veeam Backup & Replication allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Any authenticated domain user can exploit this vulnerability to gain code execution remotely on the Backup Server.
• CVE-2025-24286 (CVSS score 7.2) - A vulnerability in Veeam Backup & Replication allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code.
• CVE-2025-24287 (CVSS score 6.1) - A vulnerability in Veeam Agent for Windows allowing local system users to modify directory contents, enabling arbitrary code execution on the local system with elevated permissions.

The critical vulnerability only impacts domain-joined backup servers. Unfortunately many companies have joined their backup servers to Windows domains, ignoring Veeam's best practices that advise administrators to use a separate Active Directory Forest and protect administrative accounts with two-factor authentication.

Affected versions include:

• Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds are vulnerable to CVE-2025-23121 and CVE-2025-24286.
• Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds are affected by CVE-2025-24287.
• Unsupported product versions are not tested but are likely affected and should be considered vulnerable.

Organizations should immediately update to Veeam Backup & Replication 12.3.2 (build 12.3.2.3617). For the Windows Agent vulnerability, users should upgrade to Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) to address CVE-2025-24287.