On June 17, 2025, Veeam published KB4744 disclosing CVE-2025-23121, a remote code execution vulnerability in the Veeam Backup & Replication server reachable by any authenticated domain user. The CVSS v3.1 base score is 9.9 (vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Backup infrastructure has been ransomware's favorite blast radius since the Conti era — compromising the backup server allows wiping recovery points before encrypting production — so Veeam advisories routinely become emergency patch events even when the prerequisites look modest. CVE-2025-23121 is no exception: "authenticated domain user" in most environments includes every helpdesk technician, summer intern, and stale service account.
What does the vendor advisory say?
Veeam KB4744 describes CVE-2025-23121 as a deserialization issue in a backup server agent that processes messages from authenticated callers. Successful exploitation results in arbitrary code execution under the Veeam Backup Service account, which traditionally runs as LOCAL SYSTEM or a privileged domain account. Veeam credits CodeWhite and watchTowr Labs for coordinated disclosure. The vendor's advisory explicitly notes that the vulnerability only affects deployments where the Veeam Backup Server is joined to an Active Directory domain — which the Veeam Security & Compliance Analyzer has flagged as a misconfiguration since version 11, but which the product still allows. Standalone, workgroup-mode backup servers running their own local accounts are not exposed to this specific CVE chain, though Veeam still recommends patching.
Which versions are affected and which are patched?
CVE-2025-23121 affects all Veeam Backup & Replication 12.x builds up to and including 12.3.1.1139. The fixed build is 12.3.2.3617, shipped on June 17, 2025. Backups running on Veeam Backup & Replication 11 (build 11.0.x) and earlier are out of mainstream support; Veeam's KB4744 advises that those builds are likely affected by the same class of issue and recommends migration to 12.3.2. The fix is delivered as a cumulative update — administrators should not attempt to extract just the patched DLLs because Veeam's installer also updates SQL schemas and registry-stored job metadata. Verify the running build via Get-VBRInstallerInfo in the Veeam PowerShell module or the Configuration Backup History dialog in the Veeam console.
Two adjacent CVEs were fixed in the same 12.3.2.3617 build: CVE-2025-23120 (a separate deserialization issue in the same domain-user attack class) and CVE-2025-24286 (privilege escalation in the Veeam Agent for Windows). Apply the cumulative — do not pick one.
Is it in CISA KEV and what is the EPSS score?
As of publication, CVE-2025-23121 is not listed in CISA KEV. EPSS scoring is currently 0.41, reflecting the moderate barrier of needing any domain credential. However, the precedent set by CVE-2023-27532 and CVE-2024-40711 — both Veeam B&R RCEs that landed in KEV within 90 days of disclosure after ransomware groups weaponized them — means this CVE should be treated as KEV-eligible regardless of current listing. Both watchTowr and Sophos X-Ops have publicly noted that "authenticated domain user" is a low bar in practice and that the patch should be applied with the same urgency as an unauthenticated CVE.
How do you find vulnerable instances in your SBOM?
Backup servers are often missed in SBOM inventories because they sit in management subnets rather than production estates. Tag them explicitly in your CMDB and ingest the Veeam product manifest (registry path HKLM\SOFTWARE\Veeam\Veeam Backup and Replication) into your asset graph. Safeguard saved query:
# Identify Veeam servers still below 12.3.2.3617
safeguard scan --cve CVE-2025-23121 --product veeam-backup-replication
# Show backup servers joined to a domain (the prerequisite for exploitation)
safeguard assets list \
--filter "vendor=veeam AND product=backup-replication AND domain_joined=true" \
--include-cve CVE-2025-23121,CVE-2025-23120
For shops without an asset graph, the lightest enumeration is a PowerShell remoting loop that queries each suspected backup server for (Get-Item 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication').GetValue('CorePackageVersion') and compares against 12.3.2.3617.
What is the recommended patch rollout?
Veeam's recommended sequence:
- Snapshot the configuration backup (
Configuration Backupjob, on demand). - Verify replication and backup jobs are idle; pause any running.
- Download the cumulative installer (
VeeamBackup&Replication_12.3.2.3617.iso) from veeam.com. - Run
Setup.exefrom the ISO; the unattended path isSetup.exe /silent /accepteula /acceptthirdpartylicenses /UPDATE. - Restart the Veeam Backup Service and Veeam Broker Service.
- Run the Security & Compliance Analyzer (
Menu > Security & Compliance Analyzer) to confirm the upgrade closed the domain-joined warning bucket. - Resume backup jobs and verify the next scheduled run completes with a green status.
For environments running the Veeam Backup Enterprise Manager, upgrade Enterprise Manager first, then the managed Backup Servers, then the Veeam Agents distributed to endpoints. The agent upgrade is the longest tail — plan a 2–4 week SLA depending on endpoint connectivity.
Compensating control while patching: detach the Veeam Backup Server from the production AD domain and place it in a hardened standalone workgroup with local administrator accounts only. This is Veeam's permanent recommendation in the Security Best Practices Guide and eliminates the CVE-2025-23121 prerequisite entirely. The downside is that some Enterprise Manager features require domain membership, so this control should be paired with full patching, not used as a substitute.
What detections does the vendor or CISA publish?
Veeam KB4744 includes a list of suspicious indicators on the backup server. Defenders should add the following to their SIEM (sourced from the Veeam Security & Compliance Analyzer documentation):
# Source: Veeam KB4744 and Security & Compliance Analyzer, 2025-06-17
title: Veeam Backup Service Unexpected Child Process
status: stable
logsource:
product: windows
service: process_creation
detection:
selection:
ParentImage|endswith:
- '\Veeam.Backup.Service.exe'
- '\Veeam.Backup.Manager.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
filter_legit:
CommandLine|contains:
- 'Veeam.Backup.PowerShell'
condition: selection AND NOT filter_legit
fields:
- User
- ParentImage
- Image
- CommandLine
level: high
Sophos X-Ops MDR Threat Intelligence has also published a free Sigma rule pack covering the post-exploitation tooling observed in ransomware operations against CVE-2023-27532 and CVE-2024-40711 — apply those rules to CVE-2025-23121 telemetry as well, since the attacker tradecraft is consistent across the three Veeam RCEs.
The post-patch verification checklist that backup-infrastructure operators frequently skip: confirm that veeam.backup.service.exe is running under the upgraded version path; verify the SQL schema upgrade completed by checking the dbo.Configuration table for CorePackageVersion = 12.3.2.3617; rotate the Veeam Backup Service account password if it has been unchanged for more than 90 days; review the configuration backup encryption password and the Get-VBREncryptionKey output to ensure no orphan keys remain accessible to compromised service accounts; run the Veeam Recovery Verification job against a small sample of backup files to confirm restore integrity. Backup integrity is the canonical post-incident control because the ransomware playbook against Veeam infrastructure typically corrupts backups before patch installation rather than after.
For organizations running Veeam Cloud Connect or Veeam Backup for Microsoft 365, the corresponding fixed builds for those products ship in the same June 2025 release: VCC 12.3.2.3617 and VB365 8.2 Patch 1. Apply the cumulative across the entire Veeam product family in one change window to avoid leaving any RCE-reachable component behind.
How Safeguard Helps
Safeguard ingests the Veeam product manifest from every backup server registered in the asset graph, then matches the running build against the fixed-build matrix and surfaces non-compliant servers in the Vulnerability Response dashboard. A built-in compliance check verifies the Veeam Security & Compliance Analyzer result, flagging backup servers still joined to the production AD domain as an architectural risk regardless of patch state. Policy gates block deployment of new Veeam servers from images below 12.3.2.3617, and a ServiceNow connector files a change ticket per backup server with the cumulative installer hash, the KB4744 advisory link, and the Security & Compliance Analyzer remediation checklist attached as evidence. VEX statements from Veeam are auto-ingested for workgroup-mode installs that the vendor confirms are not exposed to the domain-joined attack class. Griffin AI scores backup infrastructure by ransomware blast radius — flagging backup servers whose service account has Domain Admin equivalents, which is the configuration ransomware groups most often abuse.