Critical Vulnerabilities in Veeam Backup
On October 14th 2025, Veeam released a security advisory addressing multiple vulnerabilities including 2 critical in its Veeam Backup product.
The vulnerability CVE-2025-48983, with a CVSS score of 9.9, resides in the Mount service of Veeam Backup & Replication and allows an authenticated domain user to execute arbitrary code on backup infrastructure hosts.
The vulnerability CVE-2025-48984, with a CVSS score of 9.9, allows an authenticated domain user to execute arbitrary code remote code execution (RCE) on the Backup Server.
The vulnerability CVE-2025-48982, with a CVSS score of 7.3, resides in Veeam Agent for Microsoft Windows and allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.
Affected Products
The vulnerabilities CVE-2025-48983 and CVE-2025-48984 impact Veeam Backup & Replication 12.3.2.3617 and all earlier version 12 builds. They only impact domain-joined backup servers.
The vulnerability CVE-2025-48982 impacts Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier version 6 builds.
The vendor mentions that unsupported product versions are not tested, but are likely affected and should be considered vulnerable.
Further details = https://www.veeam.com/kb4771

Blogger at www.systemtek.co.uk
