Date: 18 June 2025

Multiple security vulnerabilities have been resolved in Veeam Backup & Replication 12.3.2 and Veeam Agent for Microsoft Windows 6.3.1.1075. These include a critical remote code execution flaw and other issues that allow authenticated users to execute arbitrary code or modify backup jobs.

 

Overview

The vulnerabilities affect core components of Veeam’s backup infrastructure and have been actively reported by reputable security research groups. If left unpatched, these flaws can be exploited by attackers to gain elevated privileges, modify backups, or execute arbitrary commands.

The issues span critical, high, and medium severity levels and impact both backup servers and endpoint agents.

 

Critical Remote Code Execution Vulnerability

  • CVE-2025-23121
  • Description: Allows remote code execution (RCE) on the Backup Server by an authenticated domain user.
  • Severity: Critical
  • CVSS v3.0 Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Affected Versions: Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds. Unsupported versions are likely vulnerable.
  • Mitigation: Upgrade to Veeam Backup & Replication 12.3.2 or later.

 

High Severity Vulnerability Allowing Backup Job Modification

  • CVE-2025-24286
  • Description: Allows an authenticated user with the Backup Operator role to modify backup jobs, potentially executing arbitrary code.
  • Severity: High
  • CVSS v3.1 Score: 7.2 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Affected Versions: Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds. Unsupported versions are likely vulnerable.
  • Mitigation: Upgrade to Veeam Backup & Replication 12.3.2 or later.

 

Medium Severity Local Privilege Vulnerability in Veeam Agent for Microsoft Windows

  • CVE-2025-24287
  • Description: Allows local system users to modify directory contents, enabling arbitrary code execution on the local system with elevated permissions.
  • Severity: Medium
  • CVSS v3.1 Score: 6.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
  • Affected Versions: Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds. Unsupported versions are likely vulnerable.
  • Mitigation: Upgrade to Veeam Agent for Microsoft Windows 6.3.1.1075 or later.

Summary for Security Teams

Products:

  • Veeam Backup & Replication (version 12 builds up to 12.3.1.1139)
  • Veeam Agent for Microsoft Windows (version 6 builds up to 6.3.1.1074)

Threat Level: Critical to Medium

Action: Immediate upgrade to Veeam Backup & Replication 12.3.2 and Veeam Agent 6.3.1.1075 or later is strongly recommended. 

Reference

 

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.