Cybersecurity Threat Advisory: Veeam Backup & Replication – Multiple Vulnerabilities

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, a new critical alert demands the immediate attention and action of the mission-critical community, underlining the crucial role that public-safety leaders play in maintaining the security of their operations.

Advisory Overview

Veeam released an advisory warning of three vulnerabilities impacting Veeam Backup & Replication (VBR), including a critical vulnerability that could lead to remote code execution (RCE).  

• CVE-2025-23121 (CVSS 9.9): A vulnerability allowing RCE on the backup server by an authenticated domain user, which reportedly only impacts domain-joined installations.
• CVE-2025-24286 (CVSS 7.2): A vulnerability allowing an authenticated user with the backup operator role to modify backup jobs, which could execute arbitrary code.
• CVE-2025-24287 (CVSS 6.1): A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions. 

CVE-2025-23121 and CVE-2025-24286 impact VBR versions 12 and later and were patched in version 12.3.2.3617. 

CVE-2025-24287 impacts Veeam Agent for Microsoft Windows version 6 and later and was patched in version 6.3.2.1205. 

What Is the Risk?

At the time of writing (June 17, 2025), there is no evidence of active exploitation; however, VBR is an attractive target for cyberattackers. There have been multiple reports of cyberattackers, including ransomware operators, targeting vulnerabilities in VBR due to the ability to steal information and block efforts to restore environments. Additionally, Veeam’s products are used by more than 500,000 organizations worldwide, indicating a large attack surface. Ransomware groups Akira, Fog, and Frag have been reported to target VBR instances in the previous 12 months. It is likely that cyberattackers will begin targeting this vulnerability over the next 12 months.  

What Are the Recommendations?

• Immediate Action: Update VBR and Veeam Agent for Microsoft Windows to the latest available versions.
• Implement the use of least privilege to ensure access is limited to only users who require access for their job duties. 
• Enable data encryption for configuration backup to secure data stored in the configuration database.
• Implement network segmentation to define network boundaries, control traffic between subnets, and limit access to security-sensitive backup infrastructure components.
• Implement the use of multifactor authentication and enforce strong authentication measures. 

References

• Veeam Advisory 

How MCP Can Help

MCP offers a comprehensive cybersecurity solutions suite designed specifically for public-safety and justice entities and other critical-infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact JasonFranks@MissionCriticalPartners.com today to learn more.