CVE-2025-23121
published 2025-06-19CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
11.61%
95.5th percentile
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | backup_and_recovery | 12.3.1 – 12.3.1 | — |
| veeam | veeam_backup_replication | < 12.3.2.3617 | 12.3.2.3617 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-23121 only affects Veeam Backup & Replication installations that are joined to a Windows domain; non-domain-joined installations are not vulnerable ↗
- →Any authenticated domain user can exploit CVE-2025-23121 in low-complexity attacks; monitor for unexpected remote code execution activity originating from domain user accounts against Veeam Backup Server processes ↗
- →Veeam Backup & Replication versions 12 and later (prior to 12.3.2.3617) are affected; detect unpatched instances by identifying VBR installations below version 12.3.2.3617 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Checkpoint
23rd June – Threat Intelligence Report
blogs_checkpoint·2025-06-23
CVE-2025-23121 23rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Scania, a Swedish manufacturer of heavy trucks and engines, has suffered a data breach that resulted in the theft of insurance claim documents from its Financial Services systems via compromised credentials of an external IT partner. The stolen data is likely to contain personal, financial, or medical information. The attack ha
Bleepingcomputer
New Veeam RCE flaw lets domain users hack backup servers
blogs_bleepingcomputer·2025-06-17·CVSS 9.8
CVE-2025-23121 [CRITICAL] New Veeam RCE flaw lets domain users hack backup servers
## New Veeam RCE flaw lets domain users hack backup servers
## Sergiu Gatlan
Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a dom
2025-06-19
Published