Article Details
Scrape Timestamp (UTC): 2025-02-05 12:21:24.721
Source: https://thehackernews.com/2025/02/new-veeam-flaw-allows-arbitrary-code.html
Original Article Text
Click to Toggle View
New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack. Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0. "A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions," Veeam said in an advisory. The shortcoming impacts the following products - It has been addressed in the below versions - "If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability," the company noted.
Daily Brief Summary
Veeam has patched a critical vulnerability in its Backup software that could allow arbitrary code execution.
The security flaw, identified as CVE-2025-23114, has a high severity rating of 9.0 on the CVSS scale.
The vulnerability specifically exists in the Veeam Updater component, enabling Man-in-the-Middle attacks.
Attackers could potentially execute arbitrary code with root-level permissions on the affected server.
The issue affects multiple Veeam products but only specific deployments involving major cloud services and virtual environments.
Updated software versions that address this vulnerability have been released for affected systems.
Systems not interacting with cloud services like AWS, Google Cloud, or Microsoft Azure, among others, are not impacted by this flaw.