Veeam Software Security Advisory CVE-2025-23114 on Resolved Vulnerabilities

Veeam Software, Inc. had published a security advisory concerning resolved vulnerabilities in softwares.

KB ID: 4712
Product:

• Veeam Backup for Salesforce
• Veeam Backup for Nutanix AHV
• Veeam Backup for AWS
• Veeam Backup for Microsoft Azure
• Veeam Backup for Google Cloud
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization

Published: 2025-02-04
Last Modified: 2025-02-04

Veeam Software Security Commitment
Veeam is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Automatic Updates
The vulnerability discussed in this article affects the Veeam Updater component within the backup appliances used by the listed applications. The updated version of this Veeam Updater component will have been published to the Veeam Repository alongside the release of this announcement. As automatic updates are enabled for all backup appliances associated with this issue, all actively supported backup appliance versions will automatically download and install this updated version of the Veeam Updater component.

Furthermore, for all applications other than Veeam Backup for Salesforce, the latest version of each appliance discussed in this article is unaffected by this vulnerability. This means that customers whose Veeam Backup & Replication deployments utilize these backup appliances are unaffected if they have already upgraded to version 12.3 and updated those backup appliances.

Note: Customers who do not use any of the applications listed in the Issue Details section are entirely unaffected by this vulnerability. For information about checking whether such backup appliances are managed by Veeam Backup & Replication, please refer to the More Information section.

Issue Details:

CVE-2025-23114
A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.

Severity: Critical
CVSS v3.1 Score: 9.0
Source: Reported by @putsi via HackerOne.

Affected Products:

Current Releases:
The following product’s current release is affected by this vulnerability:

• Veeam Backup for Salesforce — 3.1 and older

Previous Releases:
The following product’s older releases utilize an older Veeam Updater component that was also found to be affected.
As noted below each entry, the most recent version of each of these appliances is not affected. Therefore, if Veeam Backup & Replication is running version 12.3, and the appliances for these applications have been updated, they will be running a current and unaffected version.

• Veeam Backup for Nutanix AHV — 5.0 | 5.1
  Note: Version 6 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.
• Veeam Backup for AWS — 6a | 7
  Note: The most recent version (v8), released on 2024-07-02, is unaffected by this vulnerability.
• Veeam Backup for Microsoft Azure — 5a | 6
  Note: The most recent version (v7), released on 2024-07-02, is unaffected by this vulnerability.
• Veeam Backup for Google Cloud — 4 | 5
  Note: The most recent version (v6), released on 2024-12-03, is unaffected by this vulnerability.
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1
  Note: Version 5 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.

Solution:

Veeam Backup for Salesforce
The vulnerability was resolved in Veeam Updater component version 7.9.0.1124.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Nutanix AHV
^{Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Nutanix AHV appliance has already been upgraded, the appliance is unaffected by this vulnerability.}

The vulnerability was resolved in Veeam Updater component version 9.0.0.1125.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for AWS
^{Note: If Veeam Backup & Replication 12.3 is installed, and the AWS backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.}

The vulnerability was resolved in Veeam Updater component version 9.0.0.1126.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Microsoft Azure
^{Note: If Veeam Backup & Replication 12.3 is installed, and the Microsoft Azure backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.}

The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Google Cloud
^{Note: If Veeam Backup & Replication 12.3 is installed, and the Google Cloud backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.}

The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
^{Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance has already been upgraded, the appliance is unaffected by this vulnerability.}

The vulnerability was resolved in Veeam Updater component version 9.0.0.1127.
All Veeam Updater component versions equal to or higher than this are unaffected by this vulnerability.

Update the backup appliance from within the Veeam Backup & Replication Console.

To check which Veeam Updater component is used by the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance:

1. Download support logs from the appliance.

2. Within the collected logs, open the file “<log_bundle>/veeam/veeam-updater/updater.log”

3. Review the logs to identify the Veeam Updater component version. In most cases, the version will be listed in the lines just after a reference to the service Starting.

   • For newer unaffected appliance versions (v5 and higher), the entry will appear as “Application
: Veeam.Updater, Version=“.
     For example:

      Starting log. Severity threshold: Information, LogFilesNumber = 10, LogFileMaxSize = 10 Mbs, ArchivesLimit = 10
     -----------------------------------------------------------------------------------------------------------------
     Release version       :  11.0.0.754
     Application           :  Veeam.Updater, Version=11.0.0.754, Culture=neutral, PublicKeyToken=null

   • For older affected appliance versions (v3, v4, and v4.1), the entry will appear as “Main.main:
Version:“
     For example:

     MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: ============= Starting =============
     MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: Version: 9.0.0.1087

     In this example the Veeam Updater build is less than the fixed build (9.0.0.1127) and would indicate that the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization backup appliance needs to be updated.

More Information
If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability discussed in this article.

You can verify if Veeam Backup & Replication manages any of these affected backup appliances by checking the Backup Infrastructure > Managed Servers list for any of the following entry types:

• Nutanix AHV / Nutanix Prism Central / Nutanix AHV Cluster
• AWS backup appliance
• Microsoft Azure backup appliance
• Google Cloud backup appliance
• oVirt KVM Manager