On Tuesday, June 17, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution (RCE) vulnerability tracked as CVE-2025-23121. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration.
CVE-2025-23121 is credited to security researchers at CODE WHITE GmbH and watchTowr. In March 2025, following the release of the patch for Veeam Backup & Replication’s CVE-2025-23120, these researchers publicly stated that the patch for CVE-2025-23120 could be bypassed. Veeam’s June 17 advisory states that CVE-2025-23121 is authenticated, the CVSS score is 9.9, and “authenticated domain users” can exploit the vulnerability; all of these details align with the advisory for CVE-2025-23120.
No public proof-of-concept exploit has been released (at time of this blog’s publication). Veeam Backup & Replication has a very large deployment footprint, and backup solutions are commonly targeted by threat actors. Veeam Backup & Replication should not be exposed to the internet and makes for a more effective internal attack vector than external. Still, plenty of previous Veeam Backup & Replication vulnerabilities have been exploited in the wild, including by ransomware groups.
As we have mentioned previously, more than 20% of Rapid7 incident response cases in 2024 involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.
Mitigation guidance
Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds are vulnerable to CVE-2025-23121, per the vendor advisory.
Customers should update to the latest version of the software (12.3 build 12.3.2.3617) immediately, without waiting for a regular patch cycle to occur. Per the vendor, unsupported software versions were not tested but should be considered vulnerable.
Rapid7 customers
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-23121 with a vulnerability check expected to be available in tomorrow’s (Wednesday, June 18) content release.