Veeam has rolled out patches to comprise a crucial safety flaw impacting its Backup & Replication software program that might end in distant code execution below sure situations.
The safety defect, tracked as CVE-2025-23121, carries a CVSS rating of 9.9 out of a most of 10.0.
“A vulnerability permitting distant code execution (RCE) on the Backup Server by an authenticated area person,” the corporate stated in an advisory.
CVE-2025-23121 impacts all earlier model 12 builds, together with 12.3.1.1139. It has been addressed in model 12.3.2 (construct 12.3.2.3617). Safety researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability.
Cybersecurity firm Rapid7 famous that the replace probably addresses considerations shared by CODE WHITE in late March 2025 that the patch put in place to plug an identical gap (CVE-2025-23120, CVSS rating: 9.9) might be bypassed.
Additionally addressed by Veeam is one other flaw in the identical product (CVE-2025-24286, CVSS rating: 7.2) that enables an authenticated person with the Backup Operator position to change backup jobs, which may end in arbitrary code execution.
The American firm individually patched a vulnerability that affected Veeam Agent for Microsoft Home windows (CVE-2025-24287, CVSS rating: 6.1) that allows native system customers to change listing contents, resulting in code execution with elevated permissions. The difficulty has been patched in model 6.3.2 (construct 6.3.2.1205).
In response to Rapid7, greater than 20% of its incident response instances in 2024 concerned both the entry or exploitation of Veeam, as soon as a risk actor has already established a foothold within the goal surroundings.
With safety flaws in Veeam backup software program changing into a first-rate goal for attackers lately, it is essential that prospects replace to the newest model of the software program with instant impact.
