54/68 Friday, February 7, 2025
Veeam has released a patch to address a vulnerability in its backup software that could allow attackers to execute malicious code on affected systems. The vulnerability, identified as CVE-2025-23114, has been assigned a CVSS severity score of 9.0. According to Veeam, the issue lies within the Veeam Updater Component, which could be exploited through a Man-in-the-Middle (MitM) attack, allowing an attacker to execute arbitrary code on the target server with root-level privileges. The vulnerability affects the following Veeam products:
- Veeam Backup for Salesforce – Versions 3.1 and earlier
- Veeam Backup for Nutanix AHV – Versions 5.0, 5.1 (Version 6 and later are unaffected)
- Veeam Backup for AWS – Versions 6a, 7 (Version 8 and later are unaffected)
- Veeam Backup for Microsoft Azure – Versions 5a, 6 (Version 7 and later are unaffected)
- Veeam Backup for Google Cloud – Versions 4, 5 (Version 6 and later are unaffected)
- Veeam Backup for Oracle Linux Virtualization Manager & Red Hat Virtualization – Versions 3, 4.0, 4.1 (Version 5 and later are unaffected)
Patched Versions
Veeam has addressed the vulnerability in the following updated Veeam Updater versions:
- Veeam Backup for Salesforce – Veeam Updater 7.9.0.1124
- Veeam Backup for Nutanix AHV – Veeam Updater 9.0.0.1125
- Veeam Backup for AWS – Veeam Updater 9.0.0.1126
- Veeam Backup for Microsoft Azure – Veeam Updater 9.0.0.1128
- Veeam Backup for Google Cloud – Veeam Updater 9.0.0.1128
- Veeam Backup for Oracle Linux Virtualization Manager & Red Hat Virtualization – Veeam Updater 9.0.0.1127
Veeam further clarified that if Veeam Backup & Replication is not being used with AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, then the system is not affected by this vulnerability. Users are strongly advised to update their software to the latest version as soon as possible to mitigate the risk of exploitation.
Source https://thehackernews.com/2025/02/new-veeam-flaw-allows-arbitrary-code.html
