Full Report
Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the
Analysis Summary
# Vulnerability: Critical RCE in Veeam Backup & Replication via Authenticated User
## CVE Details
- CVE ID: CVE-2025-23121
- CVSS Score: 9.9 (Critical)
- CWE: Not specified directly, but leads to Remote Code Execution (RCE).
## Affected Systems
- Products: Veeam Backup & Replication
- Versions: All earlier version 12 builds, including 12.3.1.1139.
- Configurations: Requires the attacker to be an **authenticated domain user**.
## Vulnerability Description
The vulnerability is a critical flaw in Veeam Backup & Replication that allows for Remote Code Execution (RCE) to occur on the Backup Server. This exploit is triggerable by an authenticated domain user. This addresses security concerns stemming from a potential bypass of a patch for a similar vulnerability (CVE-2025-23120).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the criticality implies high risk. Context suggests a high likelihood of exploitation given similar past vulnerabilities.
- Complexity: Low/Medium (Requires authentication, but vector escalates to RCE).
- Attack Vector: Network (Post-authentication).
## Impact
- Confidentiality: High (Implied by RCE on Backup Server)
- Integrity: High (Implied by RCE on Backup Server)
- Availability: High (Implied by RCE on Backup Server)
## Remediation
### Patches
- Veeam Backup & Replication **version 12.3.2 (build 12.3.2.3617)** addresses CVE-2025-23121.
### Workarounds
- Immediate remediation is strongly advised by updating to the patched version. No specific workarounds were detailed in the source, but restricting authenticated user privileges would be a prudent temporary containment measure.
## Detection
- No specific Indicators of Compromise (IOCs) were provided in the source text. Detection efforts should focus on monitoring administrative actions by authenticated domain users leading to remote execution or configuration changes on the Backup Server immediately following patch release.
## References
- Vendor Advisory: veeam dot com/kb4743
- Related Vulnerability Mentioned: CVE-2025-23120
- Researcher Credit: CODE WHITE GmbH and watchTowr