Critical

RCE in Veeam Backup & Replication Mount Service

IdentifiersCVE-2025-48983CWE-502

CVE-2025-48983 is a critical remote code execution vulnerability in the Mount service of Veeam Backup & Replication. Based on the provided content, the flaw is rooted in unsafe deserialization within the Mount service’s .NET Remoting channel. The service uses object serialization/deserialization for remote communication and relies on a custom binary formatter with a whitelist of allowed classes; however, that whitelist is overly broad, enabling exploitation via gadget chains in whitelisted classes. An authenticated Active Directory domain user can send a specially crafted serialized object to the Mount service, and when the service deserializes the malicious object, arbitrary code is executed on the affected backup infrastructure host. The issue affects Veeam Backup & Replication version 12 and earlier version 12 builds, including 12.3.2.3617 and earlier, on domain-joined backup infrastructure servers. The content states that workgroup deployments, the Veeam Software Appliance, and version 13 are not affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution on affected backup infrastructure hosts with the privileges of the Mount service process. Because the vulnerable component resides on backup infrastructure, compromise can have high impact across confidentiality, integrity, and availability, including potential takeover of backup servers, manipulation or destruction of backup data and jobs, and use of the backup environment as a pivot point within the enterprise. The provided content characterizes the issue as critical with a CVSS 3.1 base score of 9.9.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting access to the vulnerable Mount service to only strictly necessary administrative systems and users, and by minimizing or eliminating domain-user reachability to backup infrastructure where operationally feasible. Because the provided content states exploitation requires an authenticated domain user and affects domain-joined backup servers, prioritizing isolation of backup infrastructure, restricting network paths, and reducing unnecessary domain integration can lower risk until the vendor fix is applied. Workgroup-based deployments are stated as not affected.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to version 12.3.2.4165 or later, as the provided content states this release patches CVE-2025-48983. Follow Veeam’s official advisory guidance referenced as KB4771. The content also recommends backing up configuration and data before installing the update, restarting affected services as needed, and verifying the installed version after the upgrade to confirm successful remediation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

cvefeed high severityNews

Oct 31, 2025

CVE-2025-48983 - Veeam Backup & Replication Mount Service Authenticated RCE Vulnerability

A critical remote code execution vulnerability in the Mount service of Veeam Backup & Replication, allowing authenticated domain users to execute code on backup infrastructure hosts.

zeropath blogNews

Oct 30, 2025

Veeam Backup & Replication CVE-2025-48983: Brief Summary of Critical Remote Code Execution Vulnerability - ZeroPath Blog | ZeroPath

A critical remote code execution vulnerability in the Mount service of Veeam Backup & Replication caused by unsafe .NET Remoting deserialization, allowing any authenticated domain user to execute arbitrary code on domain-joined backup servers.

security online infoNews

Oct 15, 2025

Critical RCE Flaws CVE-2025-48983 & CVE-2025-48984 (CVSS 9.9) Found in Veeam Backup & Replication

A critical remote code execution vulnerability in Veeam Backup & Replication with a CVSS score of 9.9.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8