Veeam Software, a prominent provider of backup and disaster recovery solutions, has recently disclosed three significant security vulnerabilities within its Backup & Replication suite and the Veeam Agent for Microsoft Windows. These flaws, if exploited, could allow attackers to execute arbitrary code remotely and escalate privileges, thereby compromising enterprise backup infrastructures. The affected systems are primarily those running version 12 of the software in domain-joined configurations. Organizations are strongly urged to apply the available patches immediately to mitigate potential risks, including data breaches and ransomware attacks.
Detailed Analysis of the Vulnerabilities:
1. CVE-2025-48983: Remote Code Execution via Mount Service
This critical vulnerability resides in the Mount service component of Veeam Backup & Replication. It allows an authenticated domain user to execute arbitrary code on backup infrastructure hosts. With a CVSS v3.1 score of 9.9, this flaw was reported by security firm CODE WHITE. All version 12 builds up to 12.3.2.3617 are affected, including unsupported older releases, which are likely vulnerable.
Veeam has clarified that only domain-joined configurations are at risk. The Veeam Software Appliance and the forthcoming version 13 remain unaffected due to architectural differences. To address this issue, Veeam has released patch 12.3.2.4165, which hardens the service against unauthorized code injection. Administrators are advised to follow Veeam’s best practices, favoring workgroup setups over domain integration to enhance security.
2. CVE-2025-48984: Backup Server Vulnerability
Another critical flaw, CVE-2025-48984, targets the Backup Server component itself. This vulnerability allows authenticated domain users to execute remote code, posing a severe risk to the integrity of backup systems. Also carrying a CVSS v3.1 score of 9.9, this issue was discovered by researchers Sina Kheirkhah and Piotr Bazydlo of watchTowr. It affects the same versions as CVE-2025-48983, specifically domain-joined Veeam Backup & Replication v12 environments.
Unsupported versions should be considered vulnerable, even though they were not explicitly tested. The same patch, 12.3.2.4165, addresses this vulnerability. This flaw underscores the dangers of over-privileged domain access in backup systems, potentially enabling lateral movement across networks.
3. CVE-2025-48982: Privilege Escalation in Veeam Agent for Microsoft Windows
The third vulnerability, CVE-2025-48982, affects the Veeam Agent for Microsoft Windows. It permits local privilege escalation if an administrator is tricked into restoring a malicious file. With a CVSS v3.1 score of 7.3, this high-severity issue was reported anonymously via Trend Micro’s Zero Day Initiative. It impacts versions up to 6.3.2.1205, whether integrated with Backup & Replication or used standalone.
Exploitation requires social engineering to convince an administrator to restore a malicious file, which could then elevate attacker privileges significantly. Veeam has addressed this issue in build 6.3.2.1302. Organizations are advised to verify all agent instances and isolate backups to mitigate social engineering risks.
Recommendations for Mitigation:
To protect against these vulnerabilities, organizations should take the following steps:
– Immediate Patching: Apply the latest security updates provided by Veeam. For Backup & Replication, update to version 12.3.2.4165. For Veeam Agent for Microsoft Windows, update to version 6.3.2.1302.
– Review Configuration Settings: Assess the necessity of domain-joined configurations. If feasible, transition to workgroup setups to reduce exposure.
– Enhance Access Controls: Limit domain user access to backup servers and ensure that only authorized personnel have administrative privileges.
– Educate Administrators: Provide training on recognizing social engineering tactics to prevent the restoration of potentially malicious files.
– Monitor Systems: Implement continuous monitoring to detect any unauthorized activities promptly.
By promptly addressing these vulnerabilities and adhering to best practices, organizations can significantly reduce the risk of exploitation and safeguard their critical backup infrastructures.
