Veeam has released Patch 12.3.2.4165 for Backup & Replication and Version 6.3.2.1302 for Veeam Agent for Microsoft Windows, addressing three serious vulnerabilities. These include two critical remote code execution (RCE) flaws (CVE-2025-48983, CVE-2025-48984) and one high-severity local privilege escalation (LPE) flaw (CVE-2025-48982). Review this Cybersecurity Threat Advisory to reduce your risk from these threats.
What is the threat?
There are three critical vulnerabilities:
CVE-2025-48983 (CVSS 9.9) is a flaw in the Mount Service of Veeam Backup & Replication allows an authenticated domain user to execute arbitrary code on backup hosts due to insufficient input validation.
CVE-2025-48984 (CVSS 9.9) is a similar issue in the Backup Server component allows authenticated domain users to run unauthorized commands with elevated privileges through improper input handling.
CVE-2025-48982 (CVSS 7.3) is in the Veeam Agent for Microsoft Windows, improper handling of file attributes during restore operations could allow an attacker to gain SYSTEM-level privileges if an administrator restores a crafted file.
These vulnerabilities primarily affect domain-joined Windows environments using Veeam Backup & Replication v12 or Veeam Agent v6. Exploitation could lead to RCE, backup data manipulation, or privilege escalation.
Why is it noteworthy?
These vulnerabilities are critical because they target core backup infrastructure, which is among the most sensitive components in an organization’s environment. Backup servers often store administrative credentials, data copies, and system snapshots. This makes them prime targets for ransomware and espionage campaigns.
The ability for authenticated domain users to trigger RCE significantly lowers the barrier to exploitation. Additionally, unpatched agents introduce a local attack vector on Windows systems. Given Veeam’s widespread use across enterprises and MSPs, these flaws pose a serious risk to data integrity, recovery operations, and business continuity.
What is the exposure or risk?
Domain-joined Veeam servers are vulnerable to remote code execution if an attacker has valid domain credentials. Once a backup server is compromised, adversaries can manipulate or delete backups, disable protection mechanisms, and exfiltrate sensitive data. This access also allows them to use the backup server as a launch point to move laterally into production systems. The privilege escalation flaw (CVE-2025-48982) further increases risk by enabling SYSTEM-level compromise when a crafted file is restored on a Windows host. After public disclosure, attackers often reverse-engineer vendor patches, making unpatched versions especially susceptible to exploitation.
Organizations using older or unsupported Veeam builds with domain integration should assume they are vulnerable. If the backup infrastructure is compromised, the consequences could include ransomware deployment, significant data loss, and extended operational downtime.
What are the recommendations?
Barracuda strongly advises organizations to take the following actions to reduce the risk of exploitation:
- Apply patches immediately: Upgrade Veeam Backup & Replication to version 12.3.2.4165 and Veeam Agent for Microsoft Windows to version 6.3.2.1302 on all affected systems.
- Isolate backup servers: Place Veeam servers in a dedicated, restricted network segment with no direct internet access.
- Restrict domain access: Use local service accounts where possible; avoid domain-joined configurations or limit domain privileges strictly.
- Enforce multi-factor authentication (MFA): Require MFA for all administrative and console access.
- Limit restore permissions: Only authorized administrators should perform restore operations; validate any files restored from external or unknown sources.
- Rotate credentials: After applying updates, change all credentials, service accounts, and tokens associated with Veeam services.
- Enable immutable backups: Use immutable or air-gapped backup repositories to prevent ransomware from encrypting or deleting backups.
- Monitor for suspicious behavior: Watch for unexpected Veeam service restarts, new processes under Veeam context, or unauthorized restore activity.
References
For more details, please refer to the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.