A top-level safety advisory notifying the businesses about an important Remote Code Execution (RCE) vulnerability in Veeam Backup & Replication (VBR) software has been issued by the National Computer Emergency Response Team (CERT). The issue which is known as CVE-2025-23121, targets Veeam Backup & Replication (VBR) versions 12.0 through 12.3.1 and possesses a severity level of 9.9 on the CVSS v3.0 scale.
Entire backup facilities might have been infiltrated by the flaw, that allows any authenticated domain user to access and execute arbitrary code on domain-joined backup systems.
Incorrect access controls in Veeam Backup & Replication (VBR) installations that are associated with Windows Active Directory are the source of the vulnerability, according to the National CERT. Attackers with plausible domain credentials can achieve unlawful access while performing commands with elevated privileges as a result of these errors in configuration. In stark contrast to suggested isolated execution of Veeam, CERT advice that businesses adopting domain-joined VBR systems face a greater risk of ransomware attacks, data exfiltration, as well as the total loss of backup data.
Because of its low complexity, lack of user engagement, and high potential for misuse by internal or external threat actors, this issue has caused a great deal of concern. Similar flaws in backup systems have been used by previous cybercriminal organizations, such as Cuba, Akira, Fog, and FIN7, to prevent recovery and propagate ransomware throughout networks. The most recent vulnerability is a significant threat vector that can make it easy for attackers to take over backup systems.
The advice states that upgrading to VBR version 12.3.2.3617 or above is the immediate solution. CERT advises limiting network access to the backup server using firewall rules, requiring multi-factor authentication for all Veeam admin users, and examining domain account permissions for enterprises that are unable to update right away. Role-based access control and moving VBR installations to workgroup settings are two further security measures.
Security experts warn that successful exploitation may lead to ransomware moving laterally across the network, remote code execution, privilege escalation, and backup destruction. It is recommended that companies perform tabletop exercises that mimic domain compromise of backup systems and revise incident response procedures to incorporate Veeam-related breach scenarios. To guarantee that recovery alternatives are still available in the event of an attack, secure offline backups must be kept up to date.
Veeam and Windows Event logs should be examined for anomalous access attempts, particularly from low-privileged domain accounts, in order to keep an eye out for this danger. In order to detect and stop any exploitation attempts, CERT also suggests integrating detection techniques like SIEM and endpoint detection and response (EDR) solutions. The most dependable mitigation to avoid system compromise is still immediate patching.
Loading ...
 vulnerability in Veeam Backup & Replication software was issued by CERT){kind=link}