Veeam, the business backup platform likened to a “data lifeline”, has released emergency patches for three serious security vulnerabilities, including two remote code execution (RCE) vulnerabilities that scored near absolute CVSS of 9.9. These vulnerabilities directly affect Veeam Backup & Replication, a tool used by thousands of organizations worldwide to protect critical data in information technology infrastructure. If exploited, the attacker can gain control of the backup server and extend deeper infiltration into the enterprise’s internal network.

Veeam.png

The two most serious vulnerabilities have identifiers CVE-2025-48983 and CVC-21044, both related to the core components of the software. As recommended from Veeam, CVE-2025-48983 originates from the Mount service in Veeams Backup & Replication, allowing a user account in the same network environment that has been authenticated to remotely execute code on the backup server. It is notable that the attacker does not need system administrator permissions, but only an account with valid access permissions, so the risk of the account being hacked or stolen is significant.

Meanwhile, CVE-2025-48984 affects the Backup Server component, allowing attackers already with valid access in the enterprise intranet to execute arbitrary code remotely on the backup server. In other words, the vulnerability requires the attacker to be able to connect to the Veeam server in the same network system or to have captured a user account in the domain.

Both vulnerabilities existed on Veeam Backup & Replication version 12.3.2.617 and all previous 12,x versions, primarily affecting servers deployed in the enterprise domain environment. Veeam said newer architectures, including Veeams Software Appliance and the upcoming Backup & Replication v13 version, have been redesigned to eliminate this risk entirely.

The 12.3.2.4165 patch has now been released to fix the aforementioned two RCE vulnerabilities. Veeam recommends that users deploy the update immediately in order to minimize the risk of being exploited in real – world environments. Since the backup system usually contains all of the enterprise’s data, configuration, and recovery, being hijacked on the backup server can lead to serious chain-reactions ranging from data deletion or encryption to the installation of blackmail malicious code.

In addition, Veeam also handled another privilege escalation loophole, code CVE – 2025-48982, which was rated at a severe level with a CVSS 7.3 score. The vulnerability affects Veeam Agent for Microsoft Windows. It can be exploited in case an administrator inadvertently restores a malicious file, causing malicious code to be executed with the highest system permissions. Then, the attacker can take full control of the device. The incident was noted on Veeam Agent 6.3.2.1205 and all previous 6.x games. Veeam released a 6.3.2.1302 patch to completely fix this vulnerability.

Veeam’s announcement and remediation of these vulnerabilities revealed growing risks to the backup infrastructure, which is a prime target in many current cyberattacks. In recent ransomware attacks, taking control of the backup system means suppressing the victim’s ability to recover data. With two RCE vulnerabilities scoring a 9.9, any business slow to deploy the patch is placing itself in the highest risk zone. Veeam emphasized that adoption of the update was not only preventive, but also a mandatory measure to protect data integrity and maintain the resilience of the entire internal security system.

According to Security Online