CVE-2025-23121: Critical RCE in Veeam Backup & Replication

Veeam released a critical security update for its widely used Backup & Replication software, addressing several security flaws out of which CVE-2025-23121 has been identified as a Critical Remote Code Execution (RCE) vulnerability. Vulnerability poses an immediate risk to organizations, particularly those with Veeam Backup Servers joined to an Active Directory domain. Successful exploitation could lead to a complete compromise of backup infrastructure, data loss, potential denial of service, and enabling attackers to move laterally across the network.

Threat alert
June 18, 2025

Veeam released a critical security update for its widely used Backup & Replication software, addressing several security flaws out of which CVE-2025-23121 has been identified as a Critical Remote Code Execution (RCE) vulnerability.  Vulnerability poses an immediate risk to organizations, particularly those with Veeam Backup Servers joined to an Active Directory domain. Successful exploitation could lead to a complete compromise of backup infrastructure, data loss, potential denial of service, and enabling attackers to move laterally across the network.

A characteristic of CVE-2025-23121 is its identification as a bypass of CVE-2025-23120, a critical RCE vulnerability that was previously patched in Veeam Backup & Replication. CVE-2025-23120 originated from a deserialization flaw within specific.NET components of Veeam, namely the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary classes. This flaw permitted arbitrary code execution by authenticated domain users and was initially addressed in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139).

Exploitation of CVE-2025-23121 requires authenticated domain user credentials. This means that an attacker does not require administrative privileges to initiate the attack; possession of any valid domain user account is sufficient.

Crucially, this vulnerability primarily impacts Veeam Backup Servers that are domain-joined. Veeam explicitly advises against this configuration in its security best practices guide due to the elevated risk profile it introduces. The consistent messaging that CVE-2025-23121 impacts “domain-joined backup servers” directly contrasts with Rapid7’s observation that this remains a “common real-world configuration”.

Vulnerable Versions & Mitigations

Product Affected Versions Recommended Patch Version (Build Number) Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds 12.3.2 (build 12.3.2.3617)  Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds 6.3.2 (build 6.3.2.1205)

Recommendations

Organizations should prioritize patching however it is essential that best practices should be followed to reduce the attack surface:

  • Backup Server Isolation: Veeam strongly advises against domain-joined configurations for backup servers due to the elevated risk they introduce.
  • Enforce Least Privilege & Multi-Factor Authentication (MFA): Access to backup infrastructure must adhere strictly to the principle of least privilege.
  • Network Segmentation: Implement stringent network segmentation to limit backup server access exclusively to trusted IPs and disable any unused services or ports.
  • Vulnerability Management Process: Establish and maintain a robust vulnerability management process that includes regular automated vulnerability scans