New Veeam Vulnerabilities Enable Malicious Remote Code Execution on Backup Servers (CVE-2025-23121)
June 18th, 2025
Severity Level: Critical
Technical Details
CVE ID: CVE-2025-23121.
Severity: Critical.
Product Affected: Veeam Backup & Replication (VBR).
Vulnerability Type: Remote Code Execution (Unauthenticated).
CVSS Score: 9.9 (Critical).
Attack Vector: Remote over network (no prior authentication required).
Patched Versions: VBR v12.1.2.172, v11a (build 11.0.1.1261 P20230718), and newer.
If the Backup.Service.exe component is exposed to the network, an attacker can exploit this service to execute arbitrary code on the host machine. The flaw arises from insufficient input validation and insecure handling of network messages by the affected service.
Veeam notes that this vulnerability can only be exploited if the service is exposed to untrusted networks, making public-facing instances particularly vulnerable.
Our Cyber Threat Intelligence Unit has identified a high-severity remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR), tracked as CVE-2025-23121. With a CVSS v3.1 score of 9.9 (Critical), this vulnerability enables attackers to execute arbitrary code on affected servers, potentially resulting in complete system compromise. This vulnerability affects all VBR versions prior to the June 2025 security update. Veeam has disclosed this issue and released a security patch. Since Veeam is frequently used in enterprise environments for disaster recovery and business continuity, exploiting this flaw could have significant and lasting consequences.
Impact
Successful exploitation of CVE-2025-23121 can lead to:
Remote execution of malicious code without authentication.
Complete compromise of the Veeam backup infrastructure.
Access to sensitive backups, credentials, and configuration data of the infrastructure.
Potential lateral movement to other systems within the network.
Risks of ransomware deployment or data manipulation through compromised backups.
Considering Veeam's role as a backup and disaster recovery solution, system compromise could make organizations susceptible to long-term operational and data losses.
Detection Method
To identify if systems are vulnerable or already targeted:
Verify the current VBR version: Ensure systems are running one of the patched builds listed in the advisory.
Scan for network exposure: Identify VBR management ports that are exposed to public networks (e.g., using tools like Shodan or Nmap).
Analyze service logs: Review Veeam.Backup.Service.exe logs for any unusual or unauthorized access attempts.
Monitor for suspicious behavior: Look for indicators of remote process creation, lateral movement, or unusual system modifications related to Veeam services.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this advisory.
Recommendations
Patch Immediately: Upgrade to Veeam Backup & Replication version 12.1.2.172 or the appropriate patched builds.
Restrict Network Exposure: Ensure the backup server is not accessible from the internet or any untrusted networks.
Apply Firewall Rules: Block external access to the ports used by Veeam services unless explicitly required.
Audit Admin Activity: Review recent administrative actions in the Veeam console for any anomalies.
Monitor Backup Integrity: Revalidate the backup chains and configurations to ensure no tampering occurred during the exposure period.
Enable EDR/XDR Protections: Deploy behavioral monitoring on the backup host to detect any post-exploitation activity.
Conclusion
CVE-2025-23121 is a critical, unauthenticated remote code execution (RCE) vulnerability that poses a significant risk to unpatched Veeam Backup & Replication servers. Given its 9.9 CVSS score and the essential role Veeam plays in infrastructure resilience, organizations are urged to address affected systems using the official Veeam patches from the Veeam website to mitigate these vulnerabilities and ensure that no exploitation has occurred. Restricting network exposure and implementing robust monitoring of backup services are essential to minimize attack surfaces and secure business continuity.