Vulnerability Management, Patch/Configuration Management, Data Security

Veeam Updater receives update for critical RCE flaw

Critical Veeam updater bug patched. (Adobe Stock)
(Credit: monticellllo - stock.adobe.com)

Veeam has released a patch for the Veeam Updater component of several Veeam Backup products due to a flaw that could lead to remote code execution (RCE) via a man-in the-middle attack.

The critical vulnerability, tracked as CVE-2025-23114, has a CVSS score of 9.0 and affects Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux Virtualization Manager and Red Hat Virtualization.

For all the affected products other than Veeam Backup for Salesforce, the vulnerability is in an older version than the most recent upgrade, meaning instances that are fully up to date as of January 2025 are not affected by CVE-2025-23114.

Veeam Backup for Salesforce, however, is affected up to the current version 3.1, and requires an additional update to patch the flaw.

CVE-2025-23114 was discovered and reported by white hat hacker Jarmo Puttonen and first disclosed by Veeam on Tuesday. A remote attacker can use a man-in-the-middle attack, in which communication to or from a server is intercepted, to execute arbitrary code with root permissions on the affected appliance server, due to a failure to properly validate Transport Layer Security (TLS) certificates.

Veeam Backup instances other than those protecting Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud or Oracle Linux Virtualization Manager/Red Hat Virtualization are not affected by the flaw. Users of the affected versions should use Veeam Updater to check for a security update and use Veeam Updater to update itself with the patch if needed.

Additional instructions were provided for users of Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization, who should update the appliance from within the Veeam Backup & Replication Console. Instructions are also provided to check support logs and see whether a vulnerable version of Veeam Updater is being used by Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Updates that resolved the Veeam Backup flaw were already released for Veeam Backup instances, other than those protecting Salesforce, in the following versions:

  • Veeam Backup for Nutanix AHV: Version 6 release on August 24, 2024
  • Veeam Backup for AWS: Version 8 release on July 2, 2024
  • Veeam Backup for Microsoft Azure: Version 7 released on July 2, 2024
  • Veeam Backup for Google Cloud: Version 6 released on December 3, 2024
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization: Version 5 released on August 24, 2024

A previous RCE flaw in Veeam Backup and Replication, tracked as CVE-2024-40711, which has a CVSS score of 9.8, has been targeted by ransomware groups including Fog and Akira.

Veeam also patched a critical RCE flaw in its Veeam Service Provider Console (VSPC) in December.

Related

How to prepare for an effective web application penetration test 

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team. 

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Block CipherBuffer OverflowBugChecksumCiphertextCryptanalysisCryptographic Algorithm or HashDiffie-HellmanDigital Signature Algorithm (DSA)Disassembly

You can skip this ad in 5 seconds