On June 17, Veeam released fixes for three vulnerabilities, tracked as CVE-2025-23121, CVE-2025-24286, and CVE-2025-24287. The fixes were applied in Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205).
One critical flaw, CVE-2025-23121, affects Veeam Backup & Replication software and carries a CVSS score of 9.9 out of 10. It could allow authenticated domain users to execute malicious code on domain-joined backup servers when it's integrated with Active Directory environments.
CVE-2025-24286 is rated with high severity and received a CVSS score of 7.2. Authenticated users with the Backup Operator role could use this vulnerability to manipulate backup jobs and escalate privileges inside backup management systems.
The third vulnerability, tracked as CVE-2025-24287, is a medium-severity flaw in Veeam Agent for Microsoft Windows. It was assigned a CVSS score of 6.1. Local system users could abuse this flaw to modify directory contents and escalate privileges, potentially compromising the integrity of the backup agent.
Analysis:
Similar flaws in Veeam products have been targeted by ransomware actors in the past due to their wide use in enterprise environments. This set of flaws represents a significant security risk, as backup servers typically contain copies of an organization’s most valuable data assets. Given the nature of these vulnerabilities, the risk of exploitation remains high if left unpatched. Organizations are advised to reconfigure their backup architecture to ensure servers are not domain-joined, aligning with Veeam’s best practices for infrastructure isolation.
Post-patching, organizations are recommended to monitor anomalous activity on backup servers and enforce strict access controls. Proactive vulnerability management and architectural hardening are essential to maintaining the integrity of backup environments.