Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems.
The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0.
“A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions,” Veeam said in an advisory.
The shortcoming impacts the following products –
- Veeam Backup for Salesforce — 3.1 and older
- Veeam Backup for Nutanix AHV — 5.0 | 5.1 (Versions 6 and higher are unaffected by the flaw)
- Veeam Backup for AWS — 6a | 7 (Version 8 is unaffected by the flaw)
- Veeam Backup for Microsoft Azure — 5a | 6 (Version 7 is unaffected by the flaw)
- Veeam Backup for Google Cloud — 4 | 5 (Version 6 is unaffected by the flaw)
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1 (Versions 5 and higher are unaffected by the flaw)
It has been addressed in the below versions –
- Veeam Backup for Salesforce – Veeam Updater component version 7.9.0.1124
- Veeam Backup for Nutanix AHV – Veeam Updater component version 9.0.0.1125
- Veeam Backup for AWS – Veeam Updater component version 9.0.0.1126
- Veeam Backup for Microsoft Azure – Veeam Updater component version 9.0.0.1128
- Veeam Backup for Google Cloud – Veeam Updater component version 9.0.0.1128
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization – Veeam Updater component version 9.0.0.1127
“If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability,” the company noted.