KB4743: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2
Issue Details CVE-2025-23121 A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Severity: Critical CVSS v3.0 Score: 9.9 Source: Reported by watchTowr and CodeWhite. Note: This vulnerability only impacts domain-joined backup servers. Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain? Affected Product Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds. Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable. Solution This vulnerability was fixed starting in the following build: Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) CVE-2025-24286 A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code. Severity: High CVSS v3.1 Score: 7.2 Source: Reported by Nikolai Skliarenko with Trend Micro. Affected Product Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds. Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable. Solution This vulnerability was fixed starting in the following build: Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) CVE-2025-24287 A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions. Severity: Medium CVSS v3.1 Score: 6.1 Source: Reported by CrisprXiang working with Trend Micro Zero Day Initiative. Affected Product Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds. Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable. Solution This vulnerability was fixed starting in the following build: Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) Veeam Agent for Microsoft Windows is included with Veeam Backup & Replication and available as a standalone application.