Urgent Veeam Alert: Critical RCE (CVE-2025-23121) Threatens Backup Servers with 9.9 CVSS Score
Do Son 
Veeam has issued an urgent security update to address a critical vulnerability in its Backup & Replication (VBR) product that could allow remote code execution on backup servers. Tracked as CVE-2025-23121 with a CVSS score of 9.9, the flaw specifically impacts installations joined to an Active Directory domain.
Discovered by researchers from watchTowr and CodeWhite, the vulnerability, according to Veeam’s official advisory, can be exploited by any authenticated domain user. Exploitation does not require complex conditions — only basic network access — making it a particularly severe threat to organizations where backup servers reside within a shared domain.
The patch is included in version 12.3.2.3617, released on June 17. The issue affects all editions of Veeam Backup & Replication version 12 and above operating within domain environments. Although Veeam has long advised isolating backup servers in a separate Active Directory forest and enforcing multi-factor authentication (MFA) for administrative accounts, many enterprises have neglected these best practices, leaving their infrastructure dangerously exposed.
This is not the first time VBR has been at the center of serious security concerns. In September 2024, another critical vulnerability (CVE-2024-40711) was discovered, which remains under active exploitation. That flaw facilitated the spread of the Frag ransomware and has since been leveraged by threat groups linked to Akira and Fog extortion campaigns. Compromised backup servers have proven to be strategic entry points — by erasing backup data before launching the main payload, attackers deprive victims of swift recovery options.
Veeam’s products are globally deployed, serving over 550,000 organizations, including 82% of Fortune 500 companies and 74% of the Global 2000. Given this widespread adoption, each newly disclosed VBR vulnerability becomes an immediate and high-value target for cybercriminals.
Donate