Veeam has released security updates for Backup & Replication 12.3.2 to fix multiple vulnerabilities, including a critical flaw that allows remote code execution on the backup server by an authenticated domain user. The company said the most severe issue, CVE-2025-23121, carries a CVSS v3.0 score of 9.9 and affects domain-joined backup servers running Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
According to Veeam’s advisory, CVE-2025-23121 was reported by Piotr Bazydlo of watchTowr and CodeWhite and can lead to remote code execution on the Backup Server. Veeam said the bug only impacts domain-joined backup servers and was fixed in Veeam Backup & Replication 12.3.2, build 12.3.2.3617.
The same advisory also addresses CVE-2025-24286, a high-severity vulnerability with a CVSS v3.1 score of 7.2 that allows an authenticated user with the Backup Operator role to modify backup jobs in a way that could execute arbitrary code. Veeam said this issue affects the same Backup & Replication builds as CVE-2025-23121 and is also fixed in version 12.3.2 build 12.3.2.3617.
Veeam also disclosed CVE-2025-24287, a medium-severity bug in Veeam Agent for Microsoft Windows with a CVSS v3.1 score of 6.1. The company said the flaw allows local system users to modify directory contents and achieve arbitrary code execution on the local system with elevated permissions, and that it was fixed in Veeam Agent for Microsoft Windows 6.3.2, build 6.3.2.1205.
Critical issue affects domain-joined backup servers
Veeam’s KB article states that CVE-2025-23121 only affects domain-joined backup servers, a detail that can materially change exposure depending on how Backup & Replication is deployed. The company pointed customers to its guidance on workgroup versus domain deployments and said unsupported product versions were not tested but should be considered vulnerable.
The advisory says CVE-2025-24286 was reported by Nikolai Skliarenko with Trend Micro, while CVE-2025-24287 was reported by an anonymous contributor working with the Trend Zero Day Initiative. All vulnerabilities documented in the article were resolved in Veeam Backup & Replication 12.3.2, with the Windows Agent issue additionally remediated in Veeam Agent for Microsoft Windows 6.3.2.
The Veeam update lands amid a broader stream of enterprise software security fixes covered by Cyberwarzone, including CISA’s KEV addition for the actively exploited n8n RCE flaw and Qualys’ CrackArmor disclosure affecting Linux AppArmor.
