Veeam Patches Critical Man-in-the-Middle Backup & Replication Flaw (CVE-2025-23114)

• Veeam issued a security advisory to address a critical flaw in its Backup & Replication software.
• Tracked as CVE-2025-23114, the new vulnerability allows arbitrary code execution.
• Attackers could deploy a MitM attack that grants them root-level permissions on an appliance server.

Veeam has issued patches for a critical vulnerability in its Backup & Replication software, which could allow attackers to execute arbitrary code on affected systems. The security flaw tracked as CVE-2025-23114 has been assigned a CVSS score of 9.0, highlighting its severity.

According to Veeam's security advisory, the flaw lies in the Veeam Updater component, and it enables attackers to perform a Man-in-the-Middle (MitM) attack that grants them root-level permissions on the targeted appliance server. 

The vulnerability impacts Veeam Backup Salesforce versions 3.1 and older, Nutanix AHV versions 5.0 and 5.1, AWS versions 6a and 7, Microsoft Azure versions 5a and 6, Google Cloud versions 4 and 5, and Oracle Linux Virtualization Manager and Red Hat Virtualization versions 3, 4.0, and 4.1.

The company clarified that Veeam Backup & Replication (VBR) deployments that do not protect AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization are not impacted by this vulnerability. 

Users of the affected products are strongly urged to update to the latest patched versions to mitigate potential exploitation. Organizations using affected versions of Veeam Backup are advised to apply the available patches immediately. 

Additionally, administrators should review their deployments to ensure no unauthorized access has occurred and consider implementing network monitoring measures to detect potential MitM activities.

Given the high CVSS score and the potential for remote code execution with root-level permissions, keeping software components up to date is essential. Failure to patch could expose systems to exploitation, leading to severe data breaches or operational disruptions.

In 2024, Akira and Fog Ransomware and EstateRansomware exploited two now-patched VBR flaws that allowed remote code execution and access to encrypted credentials.