cbcvebase.
CVE-2025-48984
published 2025-10-31

CVE-2025-48984: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.98%
57.7th percentile
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_replication12.3.2 – 12.3.2
veeamveeam_backup_replication>= 12.0.0.1402 < 12.3.2.416512.3.2.4165

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unexpected crashes or unusual outgoing traffic from the Veeam Backup & Replication server, which may indicate exploitation of CVE-2025-48984.
  • Monitor server logs for unauthorized commands and scan for requests to known malicious domains targeting the Veeam Backup & Replication service.
  • Configure SIEM platforms with custom detection rules to identify malicious API activity or unusual commands targeting backup services.
  • Use host-based detection systems (HIDS) to monitor for unauthorized files appearing on the Veeam Backup & Replication server.
  • ·The Huntress source contradicts the NVD advisory: Huntress describes the vulnerability as exploitable by unauthenticated attackers, while NVD states it requires an authenticated domain user. Detections and mitigations should account for both scenarios until clarified by the vendor.
  • ·NVD describes CVE-2025-48984 as requiring an authenticated domain user for exploitation, which limits the attack surface compared to the unauthenticated claim in the Huntress source.
  • ·The Huntress source lists affected versions as Veeam Backup & Replication 12.0.0.1420 and earlier, and 11.0.1.1261 and earlier, with Patch KB4771 as the fix. Verify these version numbers against the official Veeam advisory before using for detection scoping.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.