New Veeam RCE flaw lets domain users hack backup servers CRITICAL CVSS Score: 9.9
New Veeam RCE flaw lets domain users hack backup servers CRITICAL CVSS Score: 9.9
New Veeam RCE flaw lets domain users hack backup servers
CRITICAL CVSS Score: 9.9
Information:
Veeam Backup & Replication is a comprehensive data protection and disaster recovery solution. With Veeam Backup & Replication, you can create image-level backups of virtual, physical and cloud machines and restore from them. Technology used in the product optimizes data transfer and resource consumption, which helps to minimize storage costs and the recovery time in case of a disaster.
Veeam Backup & Replication provides a centralized console for administering backup, restore and replication operations in all supported platforms (virtual, physical, cloud). Also, the console allows you to automate and schedule routine data protection operations and integrate with solutions for alerting and generating compliance reports.
Incident:
Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations.
Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam's best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication.
What’s more concerning is the context: this vulnerability appears to be a bypass of CVE-2025-23120, a previously patched flaw. Researchers at CODE WHITE and watchTowr, who initially discovered the bypass, were also credited with identifying CVE-2025-23121.
Incident:
Affected Product
- Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
Recommend:
This vulnerability was fixed starting in the following build:
- Veeam Backup & Replication 12.3.2 (build 12.3.2.3617)
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References:
-https://www.veeam.com/kb4743?utm_source=chatgpt.com
-https://socradar.io/cve-2025-23121-rce-patched-veeam-backup-replication/
-https://helpcenter.veeam.com/docs/backup/vsphere/overview.html?ver=120
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-2817 |
29/4/2025 |
13/6/2025 |
Mozilla |
Privilege escalation |
8.8 |
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10. |
Update to the latest version. |
|
| 2 |
CVE-2025-26241 |
5/5/2025 |
13/6/2025 |
Osticket |
SQL Injection |
6.5 |
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination. |
Update osTicket to version 1.17.6 or higher. |
|
| 3 |
CVE-2025-5875 |
9/6/2025 |
12/6/2025 |
TP-LINK |
Buffer overflow |
8.8 |
A vulnerability classified as critical has been found in TP-LINK Technologies TL-IPC544EP-W4 1.0.9 Build 240428 Rel 69493n. Affected is the function sub_69064 of the file /bin/main. The manipulation of the argument text leads to buffer overflow. It is possible to launch the attack remotely. |
There is no patch or update available to fix this vulnerability yet. |
https://app.opencve.io/cve/CVE-2025-5875
|
| 4 |
CVE-2025-43714 |
19/5/2025 |
12/6/2025 |
Openai |
HTML injection |
6.5 |
The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers. |
The issue has been resolved. |
https://app.opencve.io/cve/CVE-2025-43714 |
| 5 |
CVE-2025-41231 |
20/5/2025 |
12/6/2025 |
Vmware |
Missing Authorisation |
7.3 |
VMware Cloud Foundation contains a missing authorisation vulnerability. A malicious actor with access to VMware Cloud Foundation appliance may be able to perform certain unauthorised actions and access limited sensitive information. |
Update to the latest version. |
https://app.opencve.io/cve/CVE-2025-41231
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Anubis ransomware |
14/06/2025 |
Phishing, Privilege Escalation, Defense Evasion |
Anubis has developed a new feature called "Wipe Mode" which, in addition to normal file encryption, can also erase the contents of the files so that they cannot be recovered, even if the ransom is paid. When Wipe Mode is enabled, the files are reduced to 0KB in size, but the file and folder names are preserved, making them appear to still exist, but in reality, the data has been deleted. This feature is designed to pressure victims into paying without any negotiation. |
|
Ref: Anubis ransomware adds wiper to destroy files beyond recovery
01 July 2025
Viewed 31 time
