Something went wrong? The admin will be the first target — even if Veeam VBR’s code is to blame
After a vulnerability is found, admins will have to prove they weren’t involved.
Veeam has released an urgent security update to fix a critical vulnerability in its Backup & Replication (VBR) product that could lead to remote code execution on the backup server. The issue has been assigned the identifier CVE-2025-23121 with a CVSS score of 9.9, and it affects installations joined to an Active Directory domain.
The vulnerability was discovered by researchers from watchTowr and CodeWhite. According to Veeam’s official advisory, the flaw can be exploited by any authenticated domain user. No complex conditions are required for exploitation — just basic network access, which makes the risk especially high for organizations where the backup server is part of a shared domain.
The patch is included in version 12.3.2.3617, released on June 17. The vulnerability impacts all editions of Veeam Backup & Replication version 12 and above deployed in domain environments. Despite Veeam’s long-standing recommendations to isolate backup servers in a separate Active Directory forest and to enable two-factor authentication for administrative accounts, many companies continue to disregard these guidelines — leaving their infrastructure exposed.
This isn’t the first time critical issues have been discovered in VBR. In September 2024, another critical vulnerability (CVE-2024-40711) was revealed and is still being actively exploited. That flaw was used to spread the Frag ransomware. Since October 2024, it has also been used in attacks by ransomware groups linked to Akira and Fog. Vulnerable backup servers became easy targets: by compromising Veeam, attackers were able to delete backups before deploying the main payload, effectively preventing organizations from restoring their systems after an attack.
Veeam products are widely used worldwide, with over 550,000 companies relying on them — including 82% of Fortune 500 and 74% of Global 2000. Given this massive adoption, any new VBR vulnerability becomes an immediate priority target for attackers.
