Jul 03, 2025
CVE-2025-23121: Critical RCE Vulnerability Patched in Veeam Backup & Replication
On June 17, 2025, Veeam released an important security update for its widely used Backup & Replication software, a cornerstone tool in enterprise data protection strategies.
Veeam Backup & Replication is essential for ensuring data continuity, system recovery, and business resilience in the face of disruptions, making any vulnerabilities in the platform a serious concern.
In its latest advisory, Veeam addresses three security flaws, including one critical Remote Code Execution (RCE) vulnerability (CVE-2025-23121), marking it as particularly dangerous. Let’s unpack what this means and how users should respond.
What is CVE-2025-23121?
CVE-2025-23121 (CVSS 9.9) is a critical vulnerability that allows authenticated domain users to remotely execute arbitrary code on Veeam Backup Servers. This flaw affects systems that are domain-joined, a setup that Veeam advises against due to its elevated risk profile.
Despite the recommendation, Rapid7 notes that domain-joined backup servers are still a common real-world configuration, making this vulnerability especially urgent.
While no public exploit is available yet, the combination of high potential impact and broad deployment of Veeam systems makes this a critical issue for organizations to address immediately.
A Dangerous Patch Bypass From CVE-2025-23120
What’s more concerning is the context: this vulnerability appears to be a bypass of CVE-2025-23120, a previously patched flaw. Researchers at CODE WHITE and watchTowr, who initially discovered the bypass, were also credited with identifying CVE-2025-23121.
CVE-2025-23120 (CVSS 9.9) – RCE by domain users (SOCRadar Vulnerability Intelligence)
Stay in control of your external digital footprint with SOCRadar’s Attack Surface Management (ASM) module. Quickly discover exposed assets, outdated software, and configuration risks before attackers do. ASM provides continuous monitoring, detailed asset visibility, and actionable alerts to help your team prioritize security efforts and reduce attack surface exposure effectively.
Other Vulnerabilities Addressed
In addition to the critical RCE flaw, Veeam’s advisory also outlines fixes for two additional vulnerabilities:
- CVE-2025-24286 (CVSS 7.2, High): Allows authenticated users with the Backup Operator role to modify backup jobs, potentially leading to arbitrary code execution.
- CVE-2025-24287 (CVSS 6.1, Medium): Affects Veeam Agent for Microsoft Windows, where local system users can modify directory contents, possibly leading to elevated code execution.
While not as severe as CVE-2025-23121, these vulnerabilities could still be exploited by malicious actors with access to internal systems.
What You Should Do
To protect your environment, organizations should immediately update to the latest patched versions:
- Veeam Backup & Replication 12.3.2 (build 12.3.2.3617)
- Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205)
These updates fully mitigate the vulnerabilities detailed above. For complete guidance, refer to Veeam’s official security advisory.
Track and Prioritize Vulnerabilities with SOCRadar XTI
Don’t miss critical updates or evolving exploit trends. SOCRadar’s Vulnerability Intelligence, part of the Cyber Threat Intelligence suite, delivers:
- Real-time alerts on new CVEs and exploit activity
- Contextual information to assess risk and prioritize patches
- Insights on threat actor tactics and emerging vulnerabilities
Discover how SOCRadar can enhance your vulnerability management and keep your defenses proactive.
By integrating these capabilities into your security workflow, your organization gains the intelligence needed to respond swiftly and reduce exposure to high-risk vulnerabilities.
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!