Full Report
Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0. "A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code
Analysis Summary
# Vulnerability: Arbitrary Code Execution in Veeam Updater via MiTM Attack
## CVE Details
- CVE ID: CVE-2025-23114
- CVSS Score: 9.0 (High)
- CWE: Not specified in the article, likely related to insecure update mechanisms or improper authentication.
## Affected Systems
- **Products:**
* Veeam Backup for Salesforce
* Veeam Backup for Nutanix AHV
* Veeam Backup for AWS
* Veeam Backup for Microsoft Azure
* Veeam Backup for Google Cloud
* Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
- **Versions:**
* Veeam Backup for Salesforce: 3.1 and older
* Veeam Backup for Nutanix AHV: 5.0, 5.1 (6 and higher unaffected)
* Veeam Backup for AWS: 6a, 7 (8 and higher unaffected)
* Veeam Backup for Microsoft Azure: 5a, 6 (7 and higher unaffected)
* Veeam Backup for Google Cloud: 4, 5 (6 and higher unaffected)
* Veeam Backup for OLVM/RHV: 3, 4.0, 4.1 (5 and higher unaffected)
- **Configurations:** Vulnerability only impacts deployments protecting the listed cloud/virtualization platforms. Deployments *not* protecting AWS, GCP, Azure, Nutanix AHV, or OLVM/RHV are **not** impacted.
## Vulnerability Description
The vulnerability resides within the **Veeam Updater component**. It allows a remote, unauthenticated attacker to execute arbitrary code on the affected appliance server with root-level permissions by leveraging a Man-in-the-Middle (MiTM) attack against the update process.
## Exploitation
- **Status:** The article strongly implies a practical exploit exists, given the high severity and technical description. PoC availability is not explicitly confirmed but is likely, given the nature of the flaw (arbitrary code execution).
- **Complexity:** Medium to High (Requires successful MiTM positioning).
- **Attack Vector:** Network (Requires the ability to intercept or tamper with update traffic/responses).
## Impact
- **Confidentiality:** High (Root access allows access to system and backup data).
- **Integrity:** High (Root access allows system modification and data corruption).
- **Availability:** High (Root access allows for system shutdown or complete compromise).
## Remediation
### Patches
Veeam has released updates to the Veeam Updater component to address this issue. Customers must update to the following specific component versions:
- Veeam Backup for Salesforce: Updater version 7.9.0.1124
- Veeam Backup for Nutanix AHV: Updater version 9.0.0.1125
- Veeam Backup for AWS: Updater version 9.0.0.1126
- Veeam Backup for Microsoft Azure: Updater version 9.0.0.1128
- Veeam Backup for Google Cloud: Updater version 9.0.0.1128
- Veeam Backup for OLVM/RHV: Updater version 9.0.0.1127
### Workarounds
No specific workarounds were mentioned in the provided text, outside of ensuring systems that utilize the vulnerable components are patched. However, blocking or inspecting network traffic related to the Veeam Updater could be a temporary measure if patching is delayed.
## Detection
- **Indicators of Compromise (IOCs):** Not specified in the summary. IOCs would likely involve unexpected network connections or file modifications originating from the context of the Veeam Updater service running with root privileges.
- **Detection Methods and Tools:** Standard network monitoring tools could potentially flag suspicious MiTM activity targeting internal Veeam update endpoints. Endpoint detection and response (EDR) solutions should monitor for unauthorized process execution by component services, especially those running as root/SYSTEM.
## References
- Vendor Advisory: hxxps://www.veeam.com/kb4712