Veeam has released security updates to address multiple vulnerabilities in Veeam Backup & Replication (VBR), including a critical vulnerability that allows remote code execution (RCE).
Security researchers at watchTowr and CodeWhite reported the vulnerability, CVE-2025-23121. The vulnerability only affects installations that are domain-joined.
As Veeam explained in a security advisory on Tuesday, authenticated domain users could exploit this vulnerability through low-complexity attacks to remotely execute code on the backup server. This flaw affects Veeam Backup & Replication version 12 or higher. Veeam has since resolved the issue in version 12.3.2.3617.
Although CVE-2025-23121 only affects VBR installations linked to a domain, any domain user can exploit it. This makes it particularly easy to exploit these configurations.
2FA important for protection
Many organizations link their backup servers to a Windows domain. This is despite the fact that Veeam recommends using a separate Active Directory Forest and protecting administrator accounts with two-factor authentication.
In March, Veeam also fixed another RCE vulnerability (CVE-2025-23120) in its Backup & Replication software. This also affected domain-linked installations. Ransomware groups previously reported to BleepingComputer that they always target VBR servers. This is because they make it easier to steal data from victims and block recovery efforts by deleting backups before the ransomware is rolled out within victims’ networks.
In November, incident responders from Sophos X-Ops reported that another VBR RCE vulnerability (CVE-2024-40711), which was disclosed in September, is now being used to spread Frag ransomware. The same vulnerability was also used to execute remote code on vulnerable Veeam backup servers during attacks with the Akira and Fog ransomware starting in October.
In the past, the Cuba ransomware group and FIN7 — a financially motivated threat actor that collaborates with groups such as Conti, REvil, Maze, Egregor, and BlackBasta — have also been found to exploit VBR vulnerabilities.