[German]Users of Veeam Backup & Replication must react. The provider Veeam has released Veeam Backup & Replication 12.3.2 and Veeam Agent for Microsoft Windows 6.3.2 on June 17, 2025. Among other things, Veeam Backup & Replication 12.3.2 closes a critical Remote Code Execution (RCE) vulnerability CVE-2025-23121 in (domain-joined) backup servers.
I have been informed about this software release and a Veeam security warning by some readers (e.g. here) in the last few hours (thanks for that). Fritz also wrote in the discussion area that Veeam has released an advisory kb4743: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2,. The following products are affected:
- Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1
- Veeam Agent for Microsoft Windows | 6.0 | 6.1 | 6.2 | 6.3 | 6.3.1
and the updates closes the following vulnerabilities:
- CVE-2025-23121 (CVSS v3.0 Score: 9.9; Critical): A vulnerability that allows remote code execution (RCE) on the backup server by an authenticated domain user.
- CVE-2025-24286 (CVSS v3.1 Score: 7.2; High): A vulnerability that allows an authenticated user with the "Backup Operator" role to modify backup jobs, which could result in the execution of arbitrary code.
- CVE-2025-24287 (CVSS v3.1 Score: 6.1; High): A vulnerability that allows local system users to modify the contents of directories, allowing the execution of arbitrary code on the local system with elevated privileges.
Actually, CVE-2025-23121 should not be exploitable because the recommendation is not to include backup servers in a domain. But some such constellations are likely to exist.
The vulnerabilities CVE-2025-23121 and CVE-2025-24286 affect Veeam Backup & Replication 12.3.1.1139 and earlier builds. The vulnerabilities are fixed in Veeam Backup & Replication 12.3.2 (build 12.3.2.3617).
Affected by CVE-2025-24287 are Veeam Agent for Microsoft Windows 6.3.1.1074 and all previous builds of version 6. This vulnerability has been fixed in Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205).
