Article Details
Scrape Timestamp (UTC): 2025-06-17 15:49:00.353
Original Article Text
Click to Toggle View
New Veeam RCE flaw lets domain users hack backup servers. Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability. Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations. As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today. While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations. Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam's best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication. In March, Veeam patched another RCE vulnerability (CVE-2025-23120) in Veeam's Backup & Replication software that impacts domain-joined installations. Ransomware gangs have also told BleepingComputer years ago that they always target VBR servers because they simplify stealing victims' data and block restoration efforts by deleting backups before deploying the ransomware payloads on the victims' networks. As Sophos X-Ops incident responders revealed in November, another VBR RCE flaw (CVE-2024-40711) disclosed in September is now being exploited to deploy Frag ransomware. The same vulnerability was also used to gain remote code execution on vulnerable Veeam backup servers in Akira and Fog ransomware attacks starting in October. In the past, the Cuba ransomware gang and FIN7, a financially motivated threat group known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs, were also observed exploiting VBR vulnerabilities. Veeam's products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms. Why IT teams are ditching manual patch management Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore. In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work -- no complex scripts required.
Daily Brief Summary
Veeam issued security updates to address multiple vulnerabilities in their Backup & Replication software, including a critical RCE flaw.
The RCE vulnerability, identified as CVE-2025-23121, affects systems integrated into domain environments and is exploitable by authenticated domain users.
This flaw was specifically prevalent in Veeam Backup & Replication version 12 and later until it was resolved in the latest release, version 12.3.2.3617.
Following insecure practices, many enterprises have integrated their backup servers into a Windows domain rather than following Veeam's advice to use separate Active Directory Forests and dual-factor authentication for admin accounts.
Ransomware groups like Cuba and FIN7 have historically exploited similar Veeam vulnerabilities to facilitate data theft and hinder recovery by deleting backups prior to ransomware deployment.
Veeam's backup solutions are widely used globally, including by 82% of Fortune 500 companies and 74% of the Global 2,000, making these vulnerabilities significant in scale and impact.