SOC Advisory – Veeam Backup & Replication Critical RCE Vulnerabilities (CVE-2025-48983, CVE-2025-48984) – 16 October 2025

Overview

CVEs: CVE-2025-48983, CVE-2025-48984, CVE-2025-48982
Severity: Critical
Date: 16 October 2025

Multiple vulnerabilities have been patched in Veeam products. The most severe are two critical RCE flaws (CVE-2025-48983, CVE-2025-48984) affecting domain-joined Veeam Backup & Replication installations, which allow code execution by any authenticated domain user.

Additionally, a high-severity local privilege escalation vulnerability (CVE-2025-48982) impacts the Veeam Agent for Windows via a social engineering vector. The cumulative risk threatens the core of enterprise disaster recovery capabilities, potentially leading to significant data loss or network-wide compromise.

Affected Versions

• Veeam Backup & Replication: Version 12.3.2.3617 and all earlier version 12 builds are affected by the critical RCE flaws.
  • Note: The critical RCE vulnerabilities only impact backup infrastructure servers that are joined to a domain. Servers not joined to a domain are not impacted by CVE-2025-48983 and CVE-2025-48984.
• Veeam Agent for Microsoft Windows: Version 6.3.2.1205 and all earlier version 6 builds are affected by the privilege escalation flaw.
  • Unsupported product versions should be considered vulnerable.

Vulnerability Breakdown

• CVE-2025-48983 — Veeam B&R Mount Service RCE
  • Type: Remote Code Execution
  • Impact: RCE on backup infrastructure hosts.
  • Exploitation Vector: An authenticated domain user with network access to the Mount service can execute arbitrary code.
  • CVSS Score: 9.9 (Critical)
  • Conditions Required: Victim server must be a domain-joined Veeam backup infrastructure host.
• CVE-2025-48984 — Veeam Backup Server RCE
  • Type: Remote Code Execution
  • Impact: RCE on the primary Veeam Backup Server.
  • Exploitation Vector: An authenticated domain user with network access can achieve remote code execution.
  • CVSS Score: 9.9 (Critical)
  • Conditions Required: Victim server must be a domain-joined Veeam Backup & Replication server.
• CVE-2025-48982 — Veeam Agent for Windows LPE
  • Type: Local Privilege Escalation
  • Impact: Local attacker can escalate privileges.
  • Exploitation Vector: A system administrator is socially engineered into restoring a malicious file onto the system.
  • CVSS Score: 7.3 (High)
  • Conditions Required: Requires interaction from a local administrator.

Mitigation

• Upgrade to the patched versions immediately. Veeam has warned that attackers will likely reverse-engineer the patches to target unpatched systems.
  • For Veeam Backup & Replication, upgrade to version 12.3.2.4165 Patch or newer.
  • For Veeam Agent for Microsoft Windows, upgrade to version 6.3.2.1302 or newer.
• Minimise backup infrastructure exposure: Restrict network access to Veeam servers and components to only authorized administrators and necessary systems. Implement strict firewall rules and network segmentation.
• Apply the principle of least privilege: Ensure any service accounts used by Veeam have the minimum necessary permissions. Audit domain user accounts for excessive privileges.
• Monitor for suspicious activity: Monitor for unexpected processes spawned by Veeam services, unusual network connections to or from the backup server, and signs of unauthorized access.

Summary for IT Teams

• Products: Veeam Backup & Replication (v12), Veeam Agent for Microsoft Windows (v6).
• Threat Level: Critical
• Action Required:
  • Patch all affected systems immediately. Prioritize domain-joined Veeam Backup & Replication servers due to the critical RCE risk.
  • Identify all installations of Veeam Backup & Replication v12 and upgrade to 12.3.2.4165 Patch.
  • Identify all installations of Veeam Agent for Microsoft Windows v6 and upgrade to 6.3.2.1302.
  • Review access control lists (ACLs) and firewall rules to ensure the Veeam management interface and services are not exposed to untrusted networks.
  • Educate administrators about the social engineering vector associated with CVE-2025-48982 and the risk of restoring files from untrusted sources.

Reference

• Veeam Security Advisory KB4771
• Daily CyberSecurity
  

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.