Critical RCE in Veeam Backup & Replication Identified as CVE-2025-23121
Disclosed on June 18, 2025, the flaw—tracked as CVE-2025-23121—impacts domain-joined Veeam Backup & Replication (VBR) servers. Security researchers at watchTowr and CodeWhite discovered the bug, which was confirmed by Veeam in a security advisory the same day.
The vulnerability affects Veeam installations starting from version 12 and is now fixed in VBR version 12.3.2.3617. Veeam strongly urges organizations to update immediately.
“This vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain remote code execution on the Backup Server,” the advisory notes.
What makes CVE-2025-23121 especially dangerous is the simplicity of its exploitation: any domain-authenticated user can leverage the flaw. Many organizations—despite Veeam’s best practices—have joined backup infrastructure to their core Windows domain, creating a broader attack surface.
Widespread Misconfigurations Fuel the Risk
According to Veeam’s longstanding guidance, backup servers should be isolated—preferably placed in a separate Active Directory forest—with administrative accounts protected by multi-factor authentication. However, in practice, many enterprise environments neglect these steps for convenience, making their critical data protection layers vulnerable.
This is not the first time a similar issue has arisen. Just three months ago, Veeam patched another RCE flaw (CVE-2025-23120) also tied to domain-joined setups.
A Pattern of Exploitation by Ransomware Gangs
Ransomware actors have long targeted VBR servers for one strategic reason—they are the gatekeepers of backup data. By taking them offline first, attackers can cripple an organization’s recovery efforts before deploying ransomware.
In recent years, vulnerabilities in Veeam’s software have been exploited in multiple high-impact attacks:
- CVE-2024-40711 was abused to deploy Frag ransomware in late 2024.
- That same flaw also enabled Akira and Fog ransomware attacks beginning in October.
- FIN7, Cuba ransomware, and affiliates of Conti, REvil, and Maze have exploited earlier VBR bugs.
This persistent focus on Veeam infrastructure has made patch hygiene a non-negotiable necessity for enterprise security teams.
Veeam’s Enterprise Footprint and the Urgency to Patch
Veeam serves over 550,000 customers globally, including 82% of Fortune 500 and 74% of Global 2000 organizations. With such broad adoption, any flaw in its software can become a lucrative entry point for attackers, especially in environments where backup servers are domain-joined and inadequately isolated.
If CVE-2025-23121 remains unpatched, even low-privilege internal users can potentially compromise entire backup ecosystems—risking data integrity, uptime, and compliance mandates.
Looking for a trusted recovery solution?
Defend your organization with [StoneFly DR365]—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
