Veeam Software has released crucial patches to address a significant vulnerability identified as CVE-2025-23121 in its Backup & Replication software, which exposes users to the risk of remote code execution (RCE). This security defect carries a CVSS score of 9.9 out of 10, underscoring its potential severity. The flaw impacts all versions before 12.3.2 (build 12.3.2.3617), particularly from earlier version 12 builds including 12.3.1.1139.
The security firm CODE WHITE GmbH and watchTowr are credited with discovering and reporting this security issue. In a recent advisory, Veeam stated, “A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.” This revelation overturns previous assurances regarding the safety of a prior patch related to CVE-2025-23120, which similarly received a critical CVSS score of 9.9.
In addition to CVE-2025-23121, Veeam has addressed another vulnerability rated at CVSS 7.2 (CVE-2025-24286), which allows authenticated backup operators to alter backup jobs, potentially leading to arbitrary code execution. Furthermore, the company has patched a separate flaw in the Veeam Agent for Microsoft Windows (CVE-2025-24287) that threatens local system users. This vulnerability could grant unauthorized modifications to directory contents, escalating the risk of code execution with elevated permissions.
According to cybersecurity experts from Rapid7, over 20% of incident response cases in 2024 were linked to vulnerabilities in Veeam products, particularly when attackers had already gained access to target environments. With the increasing trend of cyber attackers exploiting security gaps within Veeam software, immediate updates are recommended to mitigate potential risks and ensure customer protection.