Veeam Backup & Replication, a cornerstone of many enterprises’ data protection strategy, has reportedly become the focus of a new exploit being offered on a clandestine marketplace.
According to a recent listing, a seller operating under the handle “SebastianPereiro” claims to possess a remote-code-execution (RCE) exploit targeting specific Veeam 12.x builds.
Dubbed the “Bug of June 2025,” the exploit allegedly bypasses standard authentication mechanisms and grants full server control. Early signs point to a vulnerability with CVE-2025-23121, though no formal proof-of-concept has been released publicly.
The listing specifies that successful exploitation requires only any valid Active Directory account, significantly lowering the bar for threat actors who have gained domain credentials through phishing or other lateral-movement techniques.
Payment is set at $7,000 in cryptocurrency, with interested buyers directed to private message the seller.
While the absence of a publicly shared proof-of-concept limits independent verification, the potential impact on backup infrastructure is profound; compromised systems could be leveraged to exfiltrate, encrypt, or permanently destroy backups.
ThreatMon analysts noted that enterprises running Veeam Backup & Replication in mixed Windows-Linux environments might be especially vulnerable due to differences in logging and patch-management workflows.
Organizations delaying patches for test or compliance reasons could inadvertently extend their exposure window, increasing the risk of a successful breach.
In response, security teams are advised to prioritize audit of Active Directory accounts with elevated privileges, verify patch levels on all Veeam servers, and monitor for anomalous service-account usage.
Infection Mechanism
The exploit appears to leverage improper input validation in Veeam’s REST API endpoint. An attacker authenticates with any AD account and submits a specially crafted JSON payload to the /api/sessions/startBackup endpoint, injecting shell commands directly into the backup session creation logic.
A simplified proof-of-concept in PowerShell might resemble:-
$uri = "https://veeam-server:4443/api/sessions/startBackup"
$payload = @{
jobName = "WeeklyBackup";
preScript = "powershell -Enc SQBuAG..." # Base64-encoded malicious command
} | ConvertTo-Json
Invoke-RestMethod -Uri $uri -Method Post -Body $payload -Credential (Get-Credential) -UseBasicParsingThis payload instructs the service to execute arbitrary PowerShell code under the context of the Veeam service account, granting the attacker elevated privileges and full control over backup jobs and repository contents.
Continuous monitoring of API traffic and strict AD account hygiene are critical to detecting and disrupting this attack vector.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
