Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations.
Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam’s best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication.
In March, Veeam patched another RCE vulnerability (CVE-2025-23120) in Veeam’s Backup & Replication software that impacts domain-joined installations.
Ransomware gangs have also told BleepingComputer years ago that they always target VBR servers because they simplify stealing victims’ data and block restoration efforts by deleting backups before deploying the ransomware payloads on the victims’ networks.
As Sophos X-Ops incident responders revealed in November, another VBR RCE flaw (CVE-2024-40711) disclosed in September is now being exploited to deploy Frag ransomware.
The same vulnerability was also used to gain remote code execution on vulnerable Veeam backup servers in Akira and Fog ransomware attacks starting in October.
In the past, the Cuba ransomware gang and FIN7, a financially motivated threat group known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs, were also observed exploiting VBR vulnerabilities.
Veeam’s products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
