Veeam Software has disclosed three serious security flaws in its Backup & Replication suite and Agent for Microsoft Windows, which enable remote code execution and privilege escalation, potentially compromising enterprise backup infrastructures.
These vulnerabilities, patched in recent updates, primarily affect domain-joined systems in version 12 of the software. Organizations are urged to apply fixes immediately to prevent potential data breaches or ransomware exploitation.
| CVE ID | Description | Severity | CVSS v3.1 Score | Affected Versions | Patched Version |
|---|---|---|---|---|---|
| CVE-2025-48983 | Veeam Backup & Replication 12.3.2.3617 and all earlier versions 12 builds | Critical | 9.9 | Veeam Backup & Replication 12.3.2.3617 and all earlier version of 12 builds | 12.3.2.4165 Patch |
| CVE-2025-48984 | Vulnerability allowing RCE on the Backup Server by an authenticated domain user | Critical | 9.9 | Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier versions 6 builds | 12.3.2.4165 Patch |
| CVE-2025-48982 | Local Privilege Escalation in Veeam Agent for Microsoft Windows if an administrator is tricked into restoring malicious file | High | 7.3 | Local Privilege Escalation in Veeam Agent for Microsoft Windows if administrator is tricked into restoring malicious file | 6.3.2.1302 |
Mount Service RCE Threatens Backup Hosts
The first critical issue, CVE-2025-48983, resides in the Mount service of Veeam Backup & Replication, allowing an authenticated domain user to execute arbitrary code on backup infrastructure hosts.
With a CVSS v3.1 score of 9.9, this flaw was reported by CODE WHITE and impacts all version 12 builds up to 12.3.2.3617, including unsupported older releases, which are likely vulnerable.
Veeam notes that only domain-joined configurations are at risk, while the Veeam Software Appliance and forthcoming version 13 remain architecturally unaffected.
The patch, build 12.3.2.4165, resolves the issue by hardening the service against unauthorized code injection. Administrators are advised to follow Veeam’s best practices, favoring workgroup setups over domain integration for enhanced security.
Backup Server Exposed To Domain User Attacks
Similarly severe is CVE-2025-48984, another RCE vulnerability targeting the Backup Server itself, exploitable by authenticated domain users with a perfect 9.9 CVSS score.
Discovered by Sina Kheirkhah and Piotr Bazydlo of watchTowr, it shares the same affected versions as CVE-2025-48983, limited to domain-joined Veeam Backup & Replication v12 environments.
Unsupported versions should be treated as vulnerable, though not explicitly tested. The same patch, 12.3.2.4165, eliminates this risk, emphasizing the need for swift updates in hybrid or Active Directory-integrated setups.
This flaw underscores the dangers of over-privileged domain access in backup systems, potentially enabling lateral movement across networks.
Agent’s Restore Flaw Enables Privilege Escalation
Complementing the RCE issues, CVE-2025-48982 affects Veeam Agent for Microsoft Windows, permitting local privilege escalation if an administrator restores a malicious file, rated high severity at 7.3 CVSS.
Reported anonymously via Trend Micro’s Zero Day Initiative, it hits versions up to 6.3.2.1205, integrated with Backup & Replication or standalone.
Exploitation requires tricking a user into restoration, but could elevate attacker privileges significantly. Fixed in build 6.3.2.1302, this patch is crucial for endpoint protection in Windows environments.
Veeam recommends verifying all agent instances and isolating backups to mitigate social engineering risks. Organizations using affected versions should prioritize updates to safeguard against code execution threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
