Veeam Software has released patches addressing three newly disclosed , including two critical Remote Code Execution (RCE) in Veeam Backup & Replication and one privilege escalation in Veeam Agent for Microsoft Windows.
The issues, tracked as CVE-2025-48983, CVE-2025-48984, and CVE-2025-48982, could allow attackers to gain unauthorized control over enterprise backup infrastructure and escalate privileges on compromised systems.
The most severe — CVE-2025-48983 and CVE-2025-48984 — both carry a CVSS score of 9.9, placing them in the critical severity category.
According to Veeam’s advisory, CVE-2025-48983 affects the Mount service in Veeam Backup & Replication, allowing an authenticated domain user to execute arbitrary code remotely on vulnerable backup infrastructure hosts.
“A in the Mount service of Veeam Backup & Replication allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user,” the company stated in its advisory.
Meanwhile, CVE-2025-48984 impacts the Backup Server component, where a domain user with network access can similarly achieve RCE.
Both vulnerabilities affect Veeam Backup & Replication 12.3.2.3617 and all earlier version 12 builds, but are limited to domain-joined servers.
“This vulnerability only impacts domain-joined Veeam Backup & Replication v12 backup infrastructure servers,” Veeam explained, confirming that newer architectures are immune.
The company emphasized that the Veeam Software Appliance and the upcoming Backup & Replication v13 are architecturally not impacted by these vulnerabilities.
Both critical have been resolved in the latest build Veeam Backup & Replication 12.3.2.4165 Patch, which users are urged to deploy immediately.
A third vulnerability, CVE-2025-48982, rated High (CVSS 7.3), affects Veeam Agent for Microsoft Windows. The could allow local privilege escalation if a system administrator is deceived into restoring a malicious file.
“This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file,” Veeam wrote.
The issue affects Veeam Agent for Windows 6.3.2.1205 and all earlier version 6 builds. It has been fixed in version 6.3.2.1302.
- Veeam Backup & Replication Vulnerabilities Exposed: High-Severity Flaws Put Data at Risk
- Fog & Akira Ransomware Exploit Critical Veeam RCE Flaw CVE-2024-40711 After PoC Release
- Veeam Backup & Replication Faces RCE Flaw– CVE-2024-40711 (CVSS 9.8) Allows Full System Takeover
- PoC Exploit Releases for Unauthenticated RCE CVE-2024-40711 in Veeam Backup & Replication
- Urgent Veeam Update: Critical RCE CVE-2025-23121 (CVSS 9.9) & Two Other Flaws Threaten Backup Servers
