{"id":7679,"date":"2025-10-15T10:04:46","date_gmt":"2025-10-15T10:04:46","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/15\/critical-veeam-backup-rce-vulnerabilities-let-attackers-execute-malicious-code-remotely\/"},"modified":"2025-10-15T10:04:46","modified_gmt":"2025-10-15T10:04:46","slug":"critical-veeam-backup-rce-vulnerabilities-let-attackers-execute-malicious-code-remotely","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/15\/critical-veeam-backup-rce-vulnerabilities-let-attackers-execute-malicious-code-remotely\/","title":{"rendered":"Critical Veeam Backup RCE Vulnerabilities Let Attackers Execute Malicious Code Remotely"},"content":{"rendered":"

Critical Veeam Backup RCE Vulnerabilities Let Attackers Execute Malicious Code Remotely
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Veeam Software has disclosed three serious security flaws in its Backup & Replication suite and Agent for Microsoft Windows, which enable remote code execution and privilege escalation, potentially compromising enterprise backup infrastructures.<\/p>\n

These vulnerabilities, patched in recent updates, primarily affect domain-joined systems in version 12 of the software. Organizations are urged to apply fixes immediately to prevent potential data breaches or ransomware exploitation<\/a>.<\/p>\n

\n\n\n\n\n\n\n\n
CVE ID<\/th>\nDescription<\/th>\nSeverity<\/th>\nCVSS v3.1 Score<\/th>\nAffected Versions<\/th>\nPatched Version<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-48983<\/td>\nVeeam Backup & Replication 12.3.2.3617 and all earlier versions 12 builds<\/td>\nCritical<\/td>\n9.9<\/td>\nVeeam Backup & Replication 12.3.2.3617 and all earlier version of 12 builds<\/td>\n12.3.2.4165 Patch<\/td>\n<\/tr>\n
CVE-2025-48984<\/td>\nVulnerability allowing RCE on the Backup Server by an authenticated domain user<\/td>\nCritical<\/td>\n9.9<\/td>\nVeeam Agent for Microsoft Windows 6.3.2.1205 and all earlier versions 6 builds<\/td>\n12.3.2.4165 Patch<\/td>\n<\/tr>\n
CVE-2025-48982<\/td>\nLocal Privilege Escalation in Veeam Agent for Microsoft Windows if an administrator is tricked into restoring malicious file<\/td>\nHigh<\/td>\n7.3<\/td>\nLocal Privilege Escalation in Veeam Agent for Microsoft Windows if administrator is tricked into restoring malicious file<\/td>\n6.3.2.1302<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mount Service RCE Threatens Backup Hosts<\/strong><\/h2>\n

The first critical issue, CVE-2025-48983, resides in the Mount service of Veeam Backup & Replication, allowing an authenticated domain user to execute arbitrary code on backup infrastructure hosts. <\/p>\n

With a CVSS v3.1 score of 9.9, this flaw was reported by CODE WHITE and impacts all version 12 builds up to 12.3.2.3617, including unsupported older releases, which are likely vulnerable.<\/p>\n

Veeam notes that only domain-joined configurations are at risk, while the Veeam Software Appliance and forthcoming version 13 remain architecturally unaffected. <\/p>\n

The patch, build 12.3.2.4165, resolves the issue by hardening the service against unauthorized code injection<\/a>. Administrators are advised to follow Veeam\u2019s best practices, favoring workgroup setups over domain integration for enhanced security.<\/p>\n

Backup Server Exposed To Domain User Attacks<\/strong><\/h2>\n

Similarly severe is CVE-2025-48984, another RCE vulnerability targeting the Backup Server itself, exploitable by authenticated domain users with a perfect 9.9 CVSS score. <\/p>\n

Discovered by Sina Kheirkhah and Piotr Bazydlo of watchTowr, it shares the same affected versions as CVE-2025-48983, limited to domain-joined Veeam Backup & Replication v12 environments. <\/p>\n

Unsupported versions should be treated as vulnerable, though not explicitly tested. The same patch, 12.3.2.4165, eliminates this risk, emphasizing the need for swift updates in hybrid or Active Directory-integrated setups.<\/p>\n

This flaw underscores the dangers of over-privileged domain access in backup systems, potentially enabling lateral movement across networks.<\/p>\n

Agent\u2019s Restore Flaw Enables Privilege Escalation<\/strong><\/h2>\n

Complementing the RCE issues, CVE-2025-48982 affects Veeam Agent for Microsoft Windows, permitting local privilege escalation if an administrator restores a malicious file, rated high severity at 7.3 CVSS. <\/p>\n

Reported anonymously via Trend Micro\u2019s Zero Day Initiative, it hits versions up to 6.3.2.1205, integrated with Backup & Replication or standalone. <\/p>\n

Exploitation requires tricking a user into restoration, but could elevate attacker privileges significantly. Fixed in build 6.3.2.1302, this patch is crucial for endpoint protection in Windows environments. <\/p>\n

Veeam recommends<\/a> verifying all agent instances and isolating backups to mitigate social engineering<\/a> risks. Organizations using affected versions should prioritize updates to safeguard against code execution threats.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical Veeam Backup RCE Vulnerabilities Let Attackers Execute Malicious Code Remotely<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Cyber Advisory
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical Veeam Backup RCE Vulnerabilities Let Attackers Execute Malicious Code Remotely Veeam Software has disclosed three serious security flaws in its Backup & Replication suite and Agent for Microsoft Windows, which enable remote code execution and privilege escalation, potentially compromising enterprise backup infrastructures. These vulnerabilities, patched in recent updates, primarily affect domain-joined systems in version […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-7679","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7679"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7679"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7679\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}