A remote code execution (RCE) vulnerability, CVE-2025-48984, allows authenticated domain users to execute arbitrary code on Veeam Backup Servers running version 12.3.2.3617 or earlier. The exploit uses insecure deserialization in network services on domain-joined servers.
The Fix
Apply the official patch. The following methods are listed in order of effectiveness.
Primary Method: Apply the Official Patch
Download and install Veeam Backup & Replication version 12.3.2.4165 or later from the official Veeam website (KB4771). Run the installer as an administrator on the primary Backup Server; it will handle service restarts. Reboot the server after installation.
If That Doesn't Work: Apply Interim Mitigations
If patching is not possible, apply these temporary measures. These are not substitutes for the update.
1. Harden Network Access: Use the Windows Defender Firewall to block inbound connections to the vulnerable service ports from non-essential subnets.
New-NetFirewallRule -DisplayName "Block Veeam Vuln Ports Interim" -Direction Inbound -Protocol TCP -LocalPort 9392,9401 -Action Block -Profile Domain
- Disable Vulnerable Services (Breaks Functionality): As a last resort, you can disable the core services. Backup operations will stop.
Set-Service -Name "VeeamMountSvc" -StartupType Disabled
Set-Service -Name "VeeamBackupSvc" -StartupType Disabled
Re-enable them with Set-Service -Name "VeeamBackupSvc" -StartupType Automatic and start them after patching.
If That Doesn't Work: Verify Domain Join and Audit Access
This vulnerability only affects domain-joined servers. Confirm your Backup Server's status. Audit and restrict Active Directory group memberships, such as "Veeam Backup Administrators," to reduce the number of users who could exploit this flaw before patching.
(Get-WmiObject Win32_ComputerSystem).PartOfDomain
Get-ADGroupMember "Veeam Backup Administrators" | Select-Object NameVerify
After applying the patch, confirm the update and check for indicators of compromise.
Confirm Patch Version:
Check the system registry to verify the installed build number is 12.3.2.4165 or higher.
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" -Name "BuildNumber" | Select-Object BuildNumberCheck Service Health:
Ensure the core Veeam services are running.
Get-Service -Name "VeeamBackupSvc", "VeeamMountSvc" | Select-Object Name, Status, StartTypeReview Logs for Anomalies:
While no specific log entry denotes exploitation, scan for unexpected errors or process creations. Examine the Mount Service log and recent system events.
Select-String -Path "C:\ProgramData\Veeam\Backup\MountServer\Mount.log" -Pattern "Exception|Error|Failed" -Context 2 | Select-Object -Last 20
Get-WinEvent -LogName System -MaxEvents 500 | Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-1) } | Where-Object { $_.ProviderName -match "Veeam" } | Format-Table TimeCreated, Id, Message -AutoSize -Wrap