Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Remote Code Execution in Veeam Backup & Replication Domain-Joined Backup Server

IdentifiersCVE-2025-23121CWE-502

CVE-2025-23121 is a critical remote code execution vulnerability in Veeam Backup & Replication affecting domain-joined Backup Server deployments. The issue allows an authenticated Active Directory domain user, including a low-privileged domain user, to remotely execute arbitrary code on the Veeam Backup Server. The provided content indicates the flaw affects Veeam Backup & Replication version 12 builds, including 12.3.1.1139 and earlier 12.x releases, and multiple sources in the content characterize it as likely a bypass of the earlier fix for CVE-2025-23120. The supporting material also links this class of Veeam flaws to insecure use of Microsoft's deprecated BinaryFormatter deserialization mechanism, making CWE-502 the best-supported classification from the available information.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in arbitrary code execution on the Veeam Backup Server. Because backup infrastructure is typically highly privileged and centrally connected to storage, virtualization, and recovery workflows, compromise can lead to full takeover of the backup server, manipulation or hijacking of backup jobs, deletion or encryption of backups, malware deployment on backup infrastructure, theft of data contained in backups, and extraction of credentials that can support broader lateral movement or ransomware operations.

Mitigation

If you can’t patch tonight, do this now.

Apply Veeam's published security best practices in addition to patching. The content specifically notes that the vulnerability affects domain-joined backup servers, and that Veeam advises against joining backup servers to the production domain. Where feasible, isolate backup infrastructure in a separate Active Directory forest, restrict interactive and network access to the backup server, protect administrative accounts with MFA/2FA, and minimize domain-user reachability to the backup environment until patched.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to a fixed release. The content consistently identifies Veeam Backup & Replication 12.3.2 build 12.3.2.3617 as the remediation for affected 12.x installations. Unsupported versions should be treated as vulnerable and upgraded to a supported fixed version as soon as possible.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

53 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

53 SOURCESView more in app
security affairsNews
Jun 9, 2026
Critical Veeam RCE flaw Lets Low-Privilege Users Take Over Backup Servers

A critical remote code execution vulnerability in Veeam Backup & Replication that can allow remote attackers to execute arbitrary code under certain conditions.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A critical Veeam Backup & Replication vulnerability that allows remote code execution on the backup server by an authenticated domain user; patched by Veeam.

Read more
cyberthroneNews
Jan 8, 2026
Critical RCE in Veeam Backup & Replication: CVE-2025-59470

A critical RCE vulnerability in Veeam Backup & Replication affecting domain-joined servers, allowing any authenticated AD user to execute arbitrary code.

Read more
the hacker newsNews
Jun 23, 2025
⚡ Weekly Recap: Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More

A critical vulnerability in Veeam Backup & Replication listed as a trending CVE for the week. Specifics not detailed in the content.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity44

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-23121
NVD
nvd.nist.gov/vuln/detail/CVE-2025-23121
MITRE CWE · CWE-502
cwe.mitre.org
Patch
veeam.com/kb4743