Backup and recovery provider Veeam has released security patches for three vulnerabilities in its product suite, including two critical Remote Code Execution (RCE) vulnerabilities.
Two critical vulnerabilities affect domain-joined Veeam Backup & Replication v12 servers and infrastructure hosts. Veeam recommends deploying in a workgroup or separate management domain, not in the production domain.
The third vulnerability, marked as high severity, impacted Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier version 6 builds.
Veeam did not report in-the-wild exploitation in the advisory; however, the company warns patches may be reverse-engineered, meaning customers should install patches as soon as possible.
The RCE flaws are fixed in Veeam Backup & Replication 12.3.2.4165, and the Windows Agent LPE is fixed in Veeam Agent 6.3.2.1302. Full details of all vulnerabilities are available here.
RCE On Backup Infrastructure Hosts
The first vulnerability, tracked as CVE-2025-48983, affected the Mount service of Veeam Backup & Replication.
It allowed for Remote Code Execution (RCE) on the Backup infrastructure hosts by an authenticated domain user. The severity was marked as Critical, with a CVSS v3.1 Score of 9.9.
This issue affects Veeam Backup & Replication 12.3.2.3617 and all earlier version 12 builds, Importantly, it only impacts domain-joined Veeam Backup & Replication v12 backup infrastructure servers.
This vulnerability was reported by CODE WHITE.
RCE On Backup Servers
The second vulnerability, CVE-2025-48984, could allow for an RCE on the backup server by an authenticated domain user. This vulnerability was also ranked as Critical, with a CVSS v3.1 Score of 9.9.
As with the previous CVE, this flaw only impacts domain-joined Veeam Backup & Replication infrastructure servers.
This vulnerability was reported by Sina Kheirkhah (@SinSinology) and Piotr Bazydlo (@chudyPB) of watchTowr
Local Privilege Escalation
The final vulnerability disclosed, CVE-2025-48982, impacts the Veeam Agent for Microsoft Windows.
The flaw enables Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.
The vulnerability has been marked as high severity, and given a CVSS v3.1 score of 7.3.
It impacts the Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier version 6 builds.
This vulnerability was reported by an anonymous bug hunter working for the Trend Micro Zero Day Initiative.
How To Stay Secure
All of these vulnerabilities have now been patched by Veeam via the Veeam Backup & Replication 12.3.2.4165 Patch, which also includes the updated Veeam Agent for Windows 6.3.2.1302 build for standalone users.
Backups are high-value targets for ransomware and extortion. RCE on backup infrastructure can enable credential theft, policy tampering, and restore sabotage.
We would urge Veeam customers to install these patches and ensure they are protected against these risks.
