Veeam Security Advisory https://www.veeam.com/services/open/kb/security-feed 2026-04-16T19:35:57Z Veeam Software <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.2067]]> https://www.veeam.com/kb4831 2026-03-12T00:00:00Z 2026-03-12T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.2067

KB ID: 4831
Product: Veeam Backup & Replication | 13
Published: 2026-03-12
Last Modified: 2026-04-16
All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 13.0.1.2067.
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

All vulnerabilities disclosed in this article affect Veeam Backup & Replication 13.0.1.1071 and all earlier version 13 builds.

CVE-2026-21669

A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Severity: Critical
CVSS v3.1 Score: 9.9
Affected Deployment Type: Windows-based Veeam Backup & Replication
Source: Discovered during internal testing.

CVE-2026-21670

A vulnerability allowing a low-privileged user to extract saved SSH credentials.

Severity: High
CVSS v3.1 Score: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Deployment Type: Windows-based Veeam Backup & Replication | Veeam Software Appliance
Source: Discovered during internal testing.

CVE-2026-21671

A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

Severity: Critical
CVSS v3.1 Score: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Deployment Type: Veeam Software Appliance
Source: Discovered during internal testing.

CVE-2026-21672

A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Deployment Type: Windows-based Veeam Backup & Replication
Source: Reported through HackerOne.

CVE-2026-21708

A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Affected Deployment Type: Windows-based Veeam Backup & Replication | Veeam Software Appliance
Source: Discovered during internal testing.

CVE-2026-21709

A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.

Severity: Medium
CVSS v3.1 Score: 6.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Source: Reported through HackerOne.

Other Resolved Security-related Issues

  • Veeam Agent for Linux — Updated the port range that the software will open in the machine's firewall to align with other Veeam products. Veeam Agent for Linux will now open ports 2500-3300.

Solution

These vulnerabilities were fixed starting with the following build:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4465]]> https://www.veeam.com/kb4830 2026-03-12T00:00:00Z 2026-03-12T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4465

KB ID: 4830
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1 | 12.3.2
Published: 2026-03-12
Last Modified: 2026-04-16
All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 12.3.2.4465.
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

All vulnerabilities disclosed in this article affect Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds.

CVE-2026-21666

A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported by HackerOne.

CVE-2026-21667

A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2026-21668

A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2026-21672

A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported through HackerOne.

CVE-2026-21708

A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Source: Discovered during internal testing.

CVE-2026-21709

A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.

Severity: Medium
CVSS v3.1 Score: 6.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Source: Reported through HackerOne.

Other Resolved Security-related Issues

  • Veeam Agent for Linux — Updated the port range that the software will open in the machine's firewall to align with other Veeam products. Veeam Agent for Linux will now open ports 2500-3300.

Solution

These vulnerabilities were fixed starting with the following build:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[List of Security Fixes and Improvements in Veeam Agent for Linux]]> https://www.veeam.com/kb3109 2026-03-12T00:00:00Z 2026-03-12T00:00:00Z

List of Security Fixes and Improvements in Veeam Agent for Linux

KB ID: 3109
Product: Veeam Agent for Linux | 4.0 | 5.0 | 6.0 | 6.1 | 6.2 | 6.3 | 6.3.1 | 6.3.2 | 13
Published: 2020-03-02
Last Modified: 2026-03-12

Purpose

This article describes all security-related fixes and improvements introduced in each release or update of Veeam Agent for Linux.

The goal of this article is to provide our customers' security and compliance teams with the detailed information on security improvements between releases, in order to help them make an informed decision on whether it is critical to upgrade from their current Veeam Agent for Linux version to a latter one.

Security Fixes and Improvements

13.0.1.404

  • The port range opened on the host firewall was changed to 2500-3300.

13.0.1.94

  • OpenSSL upgraded to version 3.0.17

13.0.0.0.772

  • OpenSSL upgraded to version 3.0.8
     

6.3.2.1307

  • The port range opened on the host firewall was changed to 2500-3300.
     

6.2.0.101

6.1.0.1498

6.0.2.1168

  • OpenSSL Library updated to the newest version (1.0.2zg).

5.0.2.4707

  • OpenSSL was updated to v1.0.2zi.
  • liblz4 was updated to v1.9.4.
  • zlib was updated to v1.2.13.
  • PuTTY was updated to 0.80.
     

5.0.0.4318

  • Addressed an issue with insecure default permissions of files created in /tmp
  • LZ4 compression library version has been updated to version 1.9.2.
     

4.0.1.2365

  • Sensitive information used by managed Linux agent may get logged in the Linux operating system logs.
  • Creating an SMB repository using CLI command causes plain text password to be logged in the Veeam debug log.
     

4.0.0.1961

  • An issue of insecure file permissions was addressed (vulnerability reported by RACK911 Labs).
  • OpenSSL was updated to version 1.0.2t.

More Information

As we're establishing this new process, we appreciate any feedback on the content or format of this KB article. Please let us know in the corresponding topic on the Veeam Community Forums. If your feedback is too sensitive to be shared publicly, please submit it by opening a support case. We highly appreciate your collaboration!

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[List of Security Fixes and Improvements in Veeam Backup & Replication]]> https://www.veeam.com/kb3103 2026-03-12T00:00:00Z 2026-03-12T00:00:00Z

List of Security Fixes and Improvements in Veeam Backup & Replication

KB ID: 3103
Product: Veeam Backup & Replication | 10 | 11 | 12 | 12.1 | 12.2 | 12.3 | 12.3.1 | 12.3.2 | 13
Veeam Cloud Connect | 10 | 11 | 12 | 12.2 | 12.3 | 12.3.1 | 12.3.2 | 13
Published: 2020-03-02
Last Modified: 2026-03-12

Purpose

This article describes all security-related fixes and improvements introduced in each release or update of Veeam Backup & Replication.

The goal of this article is to provide our customers' security and compliance teams with detailed information on security improvements between releases, in order to help them make an informed decision on whether it is critical to upgrade from their current Veeam Backup & Replication version to a latter one.

Security Fixes and Improvements

13.0.1.2067

13.0.1.1071

13.0.1.180

  • OpenSSL upgraded to version 3.0.17
  • Microsoft.IdentityModel.JsonWebTokens upgraded to version 8.12.0
  • System.Security.Cryptography.Xml upgraded to version 8.0.2
  • Microsoft.AspNetCore.Server.Kestrel.Core upgraded to version 2.3.6
  • Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets upgraded to version 2.3.0
     

13.0.0.4967

  • Communication protocol was switched to gRPC
  • OpenSSL upgraded to version 3.0.8
  • Libxml2 upgraded to version 2.13.8
  • Microsoft.AspNetCore.Server.Kestrel.Core upgraded to version 2.3.0
  • Newtonsoft.Json upgraded to version 13.0.1
  • RestSharp upgraded to version 112.1.0
  • Microsoft.Extensions.Caching.Memory upgraded to version 8.0.1
  • System.Text.Json upgraded to version 8.0.5
  • Microsoft.AspNetCore.Identity upgraded to version 2.3.1
     

12.3.2.4465

12.3.2.4165

12.3.2.3617

  • CVE-2025-23121 vulnerability was fixed.
  • CVE-2025-24286 vulnerability was fixed.
  • Azure.Identity upgraded to version 1.11.4
  • Microsoft.Identity.Client upgraded to version 4.61.3
  • Sustainsys.Saml2 upgraded to version 2.11.0
     

12.3.1.1139

12.3.0.310

12.2.0.334

12.1.2.172

  • PuTTY updated to version 0.81
  • VMware Virtual Disk Development Kit (VDDK) was updated to 7.0.3.4 to address  CVE-2023-38545.
  • Microsoft .NET 6.0.25 was updated to 6.0.29. 
  • Microsoft WebView2 was updated to 123.0.2420.81. 
  • PostgreSQL installer was updated to 15.6.1. 
  • Curl was updated to 8.5.
  • Vulnerability CVE-2024-29849 in Veeam Backup Enterprise Manager was fixed.
  • Vulnerability CVE-2024-29850 in Veeam Backup Enterprise Manager was fixed.
  • Vulnerability CVE-2024-29851 in Veeam Backup Enterprise Manager was fixed.
  • Vulnerability CVE-2024-29852 in Veeam Backup Enterprise Manager was fixed.

12.1.1.56

  • PuTTY updated to version 0.80
     

12.1.0.2131

  • OpenSSL library updated to 1.0.2zi
  • LZ4 library updated to 1.9.4
  • curl updated to 8.0.1
  • Azure Identity package updated to 1.10.2
  • Stronger backup encryption (see What's New in 12.1 p.7)
  • Enhanced protection for stored credentials  (see What's New in 12.1 p.7)
     

12.0.0.1420 P20230412

  • OpenSSL Library updated to the newest version (1.0.2zg).
     

12.0.0.1420 P20230223

  • Vulnerability (CVE-2023-27532) in Veeam Backup Service was fixed.
    This vulnerability was reported by Shanigen.
     

12.0.0.1420

11.0.1.1261 P20240304

  • VMware Virtual Disk Development Kit (VDDK) was updated to 7.0.3.4.
  • OpenSSL was updated to v1.0.2zi.
  • liblz4 was updated to v1.9.4.
  • zlib was updated to v1.2.13.
  • PuTTY was updated to 0.80.
     

11.0.1.1261 P20230227

  • Vulnerability (CVE-2023-27532) in Veeam Backup Service was fixed.
    This vulnerability was reported by Shanigen.
     

11.0.1.1261 P20220302

11.0.1.1261

  • Linux data mover: Added support for ECDHE TLS cipher suites; improved transport security.
  • Veeam Backup Enterprise Manager: hardened HTTP header configuration; disabled HTTP Trace method; restricted an ability to log into the Self-Service Restore Portal under NETWORK SERVICE accounts (the portal was dysfunctional for such logins).
  • Helper appliances: updated OpenVPN to version 2.4.11; updated OpenSSH to version 8.6.
  • Debug logs: Addressed issues which could result in sensitive information logged under certain circumstances.
     

11.0.0.837 P20210507

  • Vulnerability (CVE-2021-35971) in the deserialization logic of Microsoft .NET remoting has been fixed.
     

11.0.0.837

  • .NET remoting communication security has been improved.
  • Data Mover communication protocol security has been improved.
  • Agent Management architecture security has been improved.
  • Veeam Explorers integration security has been improved
  • Veeam Backup Enterprise Manager Web App configuration and headers security has been improved.
  • Addressed issues which could cause sensitive information logged in certain circumstances.
  • Third-party libraries in FLR and SureBackup helper appliance have been updated to current versions.
  • Sustansys.Saml2 has been updated to version 2.7 to address known vulnerabilities.
  • LZ4 compression library version has been updated to version 1.9.2
     

10.0.1.4854 P20220304

10.0.1.4854 P20210609

  • Vulnerability (CVE-2021-35971) in the deserialization logic of Microsoft .NET remoting has been fixed.
     

10.0.1.4854

  • NAS Backup functionality can be used to gain unprivileged access to files on managed servers.
  • Weak credentials encryption issue in guest processing command line parameter and in PowerShell cmdlet logs.
  • Server and IIS version information is included in the response header of the Veeam Backup Enterprise Manager web app.
  • Security of Agent Management architecture has been improved.
  • Security of Cloud Connect architecture has been improved.
  • libcurl version has been updated to 7.70
     

10.0.0.4461

  • A custom security descriptor was provided for the driver's control device (vulnerability reported by Mile Karry).
  • Deserialization issues were fixed (vulnerability reported by Harrison Neal).
  • A user authorization issue was fixed (vulnerability reported by Harrison Neal).
  • Security of the Enterprise Manager Web App configuration was improved.
  • Support for weak SSH ciphers was disabled in the recovery media ISOs.
  • OpenSSL library was updated to version 1.0.2t
  • Putty was updated to version 0.73
  • Weak TLS ciphers were disabled in the Surebackup Linux appliance.

More Information

As we're establishing this new process, we appreciate any feedback on the content or format of this KB article. Please let us know in the corresponding topic on the Veeam Community Forums. If your feedback is too sensitive to be shared publicly, please submit it by opening a support case. We highly appreciate your collaboration!

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071]]> https://www.veeam.com/kb4792 2026-01-06T00:00:00Z 2026-01-06T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071

KB ID: 4792
Product: Veeam Backup & Replication | 13
Published: 2026-01-06
Last Modified: 2026-01-06

All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 13.0.1.1071.

Veeam Product Latest Version Download Page

Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

All vulnerabilities disclosed in this article affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds.
Note: Previous versions of Veeam Backup & Replication (i.e., 12.x and older) are not impacted by these vulnerabilities.

CVE-2025-55125

This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.

Severity: High
CVSS v3.1 Score: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2025-59468

This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.

Severity: Medium
CVSS v3.1 Score: 6.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Source: Discovered during internal testing.

CVE-2025-59469

This vulnerability allows a Backup or Tape Operator to write files as root.

Severity: High
CVSS v3.1 Score: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2025-59470

This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Adjusted Severity*: High
CVSS Severity: Critical
CVSS v3.1 Score: 9.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Source: Discovered during internal testing.

*Reason for Adjustment: The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such. Following Veeam's recommended Security Guidelines further reduces the opportunity for exploitability. Due to these factors affecting the temporal and environmental vectors of CVSS, Veeam has adjusted its response to this vulnerability to align with that of a High severity rating.

Solution

These vulnerabilities were fixed starting with the following build:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[List of Security Fixes and Improvements in Veeam Agent for Microsoft Windows]]> https://www.veeam.com/kb3108 2025-11-19T00:00:00Z 2025-11-19T00:00:00Z

List of Security Fixes and Improvements in Veeam Agent for Microsoft Windows

KB ID: 3108
Product: Veeam Agent for Microsoft Windows | 4.0 | 5.0 | 6.0 | 6.1 | 6.2 | 6.3 | 6.3.1 | 6.3.2 | 6.3.3 | 13
Published: 2020-03-02
Last Modified: 2025-11-19

Purpose

This article describes all security-related fixes and improvements introduced in each release or update of Veeam Agent for Microsoft Windows.

This article aims to provide our customers' security and compliance teams with detailed information on security improvements between releases to help them make an informed decision on whether it is critical to upgrade from their current Veeam Agent for Microsoft Windows version to a later one.

Security Fixes and Improvements

13.0.1.120

  • OpenSSL upgraded to version 3.0.17
     

13.0.0.835

  • Communication protocol was switched to gRPC
  • OpenSSL upgraded to version 3.0.8
  • System.IdentityModel.Tokens.Jwt upgraded to version 8.0.2

 

6.3.2.1302

 

6.3.2.1205

 

6.3.0.177

  • Vulnerability (CVE-2024-45207) in Veeam Agent for Microsoft Windows was fixed.

 

6.1.2.134

  • Vulnerability (CVE-2024-29853) in Veeam Agent for Microsoft Windows was fixed.
     

6.1.0.349

6.0.2.1090

  • OpenSSL Library updated to the newest version (1.0.2zg).
     

6.0.0.960

  • Added support for networks with NTLM authentication disabled (Kerberos-only authentication).
  • Audit capabilities were improved.
  • zlib has been updated to version 1.2.13.
  • OpenSSL version has been updated to 1.0.2ze.
     

5.0.3.5029

  • OpenSSL was updated to v1.0.2zi.
  • liblz4 was updated to v1.9.4.
  • zlib was updated to v1.2.13.
  • PuTTY was updated to 0.80.
     

5.0.3.4708

5.0.0.4301

  • LZ4 compression library version has been updated to version 1.9.2
     

4.0.2.2208

4.0.0.1811

  • A custom security descriptor was provided for the driver's control device (vulnerability reported by Mile Karry).
  • Deserialization issues were fixed (vulnerability reported by Harrison Neal).
  • A user authorization issue was fixed (vulnerability reported by Harrison Neal).
  • OpenSSL was updated to version 1.0.2t

More Information

As we're establishing this new process, we appreciate any feedback on the content or format of this KB article. Please let us know in the related topic on the Veeam R&D Forums. If your feedback is too sensitive to be shared publicly, please submit it by opening a support case. We highly appreciate your collaboration!

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4165 Patch]]> https://www.veeam.com/kb4771 2025-10-14T00:00:00Z 2025-10-14T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4165 Patch

KB ID: 4771
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1 | 12.3.2
Published: 2025-10-14
Last Modified: 2025-10-15

All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 12.3.2.4165 Patch.

Veeam Product Latest Version Download Page

Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

CVE-2025-48983

A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported by CODE WHITE.

Note: This vulnerability only impacts domain-joined backup infrastructure servers added to Veeam Backup & Replication v12. Backup infrastructure servers that are not domain-joined are not impacted by this vulnerability.
Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain?
Affected Product

Veeam Backup & Replication 12.3.2.3617 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Note: The Veeam Software Appliance and upcoming Veeam Backup & Replication v13 software for Microsoft Windows are architecturally not impacted by these types of vulnerabilities.
Solution

This vulnerability was fixed starting in the following build:

CVE-2025-48984

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Severity: Critical
CVSS v3.1 Score: 9.9>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported by Sina Kheirkhah (@SinSinology) and Piotr Bazydlo (@chudyPB) of watchTowr.

Note: This vulnerability only impacts domain-joined Veeam Backup & Replication v12 backup servers. Backup servers that are not domain-joined are not impacted by this vulnerability.
Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain?
Affected Product

Veeam Backup & Replication 12.3.2.3617 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Note: The Veeam Software Appliance and upcoming Veeam Backup & Replication v13 software for Microsoft Windows are architecturally not impacted by these types of vulnerabilities.
Solution

This vulnerability was fixed starting in the following build:

CVE-2025-48982

This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.

Severity: High
CVSS v3.1 Score: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Source: Reported by an anonymous contributor working with the Trend Zero Day Initiative.

Affected Product

Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier version 6 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Solution

This vulnerability was fixed starting in the following build:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV]]> https://www.veeam.com/kb4236 2025-09-03T00:00:00Z 2025-09-03T00:00:00Z

List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV

KB ID: 4236
Product: Veeam Backup for Nutanix AHV | 2.1 | 3.0 | 4.0 | 5.0 | 5.1 | 6 | 6.1 | 7 | 9
Published: 2021-11-03
Last Modified: 2025-09-03

Purpose

This article describes all security-related fixes and improvements introduced in each release or update of Veeam Backup for Nutanix AHV.

This article aims to provide our customers' security and compliance teams with detailed information on security improvements between releases to help them decide whether it is critical to upgrade from their current Veeam Backup for Nutanix AHV version to a later one.

Security Fixes and Improvements

Veeam Plug-in for Nutanix AHV 13.8  (Veeam Backup for Nutanix AHV 8)

  • system.linq.dynamic.core was updated to version 1.6.0.2
     

Veeam Backup for Nutanix AHV 6

  • @microsoft/signalr/ws was updated to version 7.5.10
  • @microsoft/signalr was updated to version 6.0.25
  • Microsoft.EntityFrameworkCore was updated to version 8.0.5
  • Npgsql.EntityFrameworkCore.PostgreSQL was updated to version 8.0.4
  • Microsoft.Identity.Client was updated to version 4.60.3
  • Azure.Identity was updated to version 1.11.0
  • Google.Protobuf was updated to version 3.15.0
  • Google.Protobuf.Tools was updated to version 3.15.0
     

Veeam Backup for Nutanix AHV 5.1

  • AHV Proxy OS was upgraded to Ubuntu 22.04
  • traverse library was updated to 7.23.2
  • tough-cookie was updated to 4.1.3
  • System.Linq.Dynamic.Core was updated to 1.3.3
     

Veeam Backup for Nutanix AHV 4a

  • Upgraded OpenSSL to version 1.0.2zg
     

Veeam Backup for Nutanix AHV 4

  • AHV Proxy OS upgraded to Ubuntu 20.04
  • .NET Core updated to version 6
  • 3rd party components were updated
  • Added brute-force protection to REST API
  • Web App configuration has been improved, strict-transport-security header has been added
  • SMTP certificate validation added for email notifications
  • Newtonsoft.Json library has been updated to version 13.0.1
  • Google.Protobuf library has been updated to version 3.21.9
     

Veeam Backup for Nutanix AHV 3

  • AHV Proxy OS upgraded to Ubuntu 18.04
  • .NET Core updated to version 3.1
     

Veeam Backup for Nutanix AHV 2.1

  • AHV Backup Proxy no longer uses the following unsafe TLS ciphers:
    • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
    • TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    • TLS_ECDH_anon_WITH_RC4_128_SHA

More Information

As we're establishing this new process, we appreciate any feedback on the content or format of this KB article. Please let us know in the corresponding topic on the Veeam Community Forums. If your feedback is too sensitive to be shared publicly, please submit it by opening a support case. We highly appreciate your collaboration!

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2]]> https://www.veeam.com/kb4743 2025-06-17T00:00:00Z 2025-06-17T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2

KB ID: 4743
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1
Veeam Agent for Microsoft Windows | 6.0 | 6.1 | 6.2 | 6.3 | 6.3.1
Published: 2025-06-17
Last Modified: 2025-07-24

All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 12.3.2.

Veeam Product Latest Version Download Page

Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

CVE-2025-23121

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Severity: Critical
CVSS v3.0 Score: 9.9CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported Piotr Bazydlo (@chudyPB) of watchTowr and CodeWhite.

Note: This vulnerability only impacts domain-joined backup servers.
Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain?
Affected Product

Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Solution

This vulnerability was fixed starting in the following build:

CVE-2025-24286

A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code.

Severity: High
CVSS v3.1 Score: 7.2CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Reported by Nikolai Skliarenko with Trend Micro.

Affected Product

Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Solution

This vulnerability was fixed starting in the following build:

CVE-2025-24287

A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.

Severity: Medium
CVSS v3.1 Score: 6.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Source: Reported by an anonymous contributor working with the Trend Zero Day Initiative.

Affected Product

Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Solution

This vulnerability was fixed starting in the following build:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[CVE-2025-23120]]> https://www.veeam.com/kb4724 2025-03-19T00:00:00Z 2025-03-19T00:00:00Z

CVE-2025-23120

KB ID: 4724
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3
Published: 2025-03-19
Last Modified: 2025-03-24
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Issue Details

CVE-2025-23120

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Severity: Critical
CVSS v3.1 Score: 9.9AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Reported by Piotr Bazydlo of watchTowr.

Note: This vulnerability only impacts domain-joined backup servers.

Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain?
Affected Product

Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Solution

The vulnerability documented in this section was fixed starting in the following build:
Upgrading to Veeam Backup & Replication 12.3.1 is the recommended way to mitigate this vulnerability. Please click the link above to review the Release Information for Veeam Backup & Replication 12.3.1, download links for the upgrade and update ISOs are provided in the above-linked KB article.

More Information

Vulnerability Hotfix for Veeam Backup & Replication 12.3

For existing deployments of Veeam Backup & Replication 12.3 (build 12.3.0.310), a hotfix to resolve this vulnerability has been developed and is intended for customers who cannot immediately update to version 12.3.1.

For deployments operating of Veeam Backup & Replication lower than 12.3.0.310, please upgrade directly to version 12.3.1.

Note: This hotfix can only be installed if Veeam Backup & Replication 12.3 has no other hotfixes installed, as it may overwrite earlier hotfixes. If other hotfixes for version 12.3 have been installed, the deployment must be updated to 12.3.1.

download hotfix for 12.3

This hotfix is only compatible with Veeam Backup & Replication 12.3 (build 12.3.0.310).

Filename: VeeamBackup&Replication_12.3.0.310_KB4724.zip
MD5: 5185235DEA2AC9F2814638534B16A6DB
SHA1: 4B1C3A7F2F051D958EAF363E2739B1B38C4A4F8C

This hotfix does not change the build number of the software. To validate that the hotfix has been deployed, compare the hash value of the files present on the system with the known hash value of the hotfix files.

  • Veeam.Backup.Common.dll — SHA1: F81B62807D82D9648733B1BF5AD70172B6CB19AA
  • Veeam.Backup.EsxManager.dll — SHA1: 9D72DD7E5CBE920454E7508AAF328CD1A59197E0

The following PowerShell commands can be used to check the SHA1 hash value of a given file.
Note: These commands check the dll in its default location, the path may need to adjusted if Veeam Backup & Replication was installed to a different drive or folder.

Get-FileHash -Path 'C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll' -Algorithm SHA1
Get-FileHash -Path 'C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.EsxManager.dll' -Algorithm SHA1

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[CVE-2025-23114]]> https://www.veeam.com/kb4712 2025-02-04T00:00:00Z 2025-02-04T00:00:00Z

CVE-2025-23114

KB ID: 4712
Product: Veeam Backup for Salesforce
Veeam Backup for Nutanix AHV
Veeam Backup for AWS
Veeam Backup for Microsoft Azure
Veeam Backup for Google Cloud
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
Published: 2025-02-04
Last Modified: 2025-02-14
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.
Automatic Updates

The vulnerability discussed in this article affects the Veeam Updater component within the backup appliances used by the listed applications. The updated version of this Veeam Updater component will have been published to the Veeam Repository alongside the release of this announcement. As automatic updates are enabled for all backup appliances associated with this issue, all actively supported backup appliance versions will automatically download and install this updated version of the Veeam Updater component.

Furthermore, for all applications other than Veeam Backup for Salesforce, the latest version of each appliance discussed in this article is unaffected by this vulnerability. This means that customers whose Veeam Backup & Replication deployments utilize these backup appliances are unaffected if they have already upgraded to version 12.3 and updated those backup appliances.

Note: Customers who do not use any of the applications listed in the Issue Details section are entirely unaffected by this vulnerability. For information about checking whether such backup appliances are managed by Veeam Backup & Replication, please refer to the More Information section.

Issue Details

CVE-2025-23114

A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.

Severity: Critical
CVSS v3.1 Score: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Source:  Reported by @putsi via HackerOne.
 

Affected Products

Current Releases

The following product's current release is affected by this vulnerability:

  • Veeam Backup for Salesforce — 3.1 and older
     
Previous Releases

The following product's older releases utilize an older Veeam Updater component that was also found to be affected.
As noted below each entry, the most recent version of each of these appliances is not affected. Therefore, if Veeam Backup & Replication is running version 12.3, and the appliances for these applications have been updated, they will be running a current and unaffected version.

  • Veeam Backup for Nutanix AHV — 5.0 | 5.1
    Note: Version 6 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.
  • Veeam Backup for AWS — 6a |  7
    Note: The most recent version (v8), released on 2024-07-02, is unaffected by this vulnerability.
  • Veeam Backup for Microsoft Azure — 5a | 6
    Note: The most recent version (v7), released on 2024-07-02, is unaffected by this vulnerability.
  • Veeam Backup for Google Cloud — 4 | 5
    Note: The most recent version (v6), released on 2024-12-03, is unaffected by this vulnerability.
  •  Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1
    Note: Version 5 (released on 2024-08-24 alongside VBR 12.2) and higher are unaffected by this vulnerability.

Solution

Veeam Backup for Salesforce

The vulnerability was resolved in Veeam Updater component version 9.0.0.1124.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.

View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Nutanix AHV

Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Nutanix AHV appliance has already been upgraded, the appliance is unaffected by this vulnerability.

The vulnerability was resolved in Veeam Updater component version 9.0.0.1125.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.

View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for AWS

Note: If Veeam Backup & Replication 12.3 is installed, and the AWS backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.

The vulnerability was resolved in Veeam Updater component version 9.0.0.1126.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.

View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Microsoft Azure

Note: If Veeam Backup & Replication 12.3 is installed, and the Microsoft Azure backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.

The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.

View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Google Cloud

Note: If Veeam Backup & Replication 12.3 is installed, and the Google Cloud backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.

The vulnerability was resolved in Veeam Updater component version 9.0.0.1126.

Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.

View updates history, and check the Veeam Updater version shown in the top-right corner.

Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization

Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance has already been upgraded, the appliance is unaffected by this vulnerability.

The vulnerability was resolved in Veeam Updater component version 9.0.0.1127.
All Veeam Updater component versions equal to or higher than this are unaffected by this vulnerability.

Update the backup appliance from within the Veeam Backup & Replication Console.

To check which Veeam Updater component is used by the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance:

  1. Download support logs from the appliance.
  2. Within the collected logs, open the file "<log_bundle>/veeam/veeam-updater/updater.log"
  3. Review the logs to identify the Veeam Updater component version. In most cases, the version will be listed in the lines just after a reference to the service Starting.
    • For newer unaffected appliance versions (v5 and higher), the entry will appear as "Application           :  Veeam.Updater, Version=".
      For example: 
       Starting log. Severity threshold: Information, LogFilesNumber = 10, LogFileMaxSize = 10 Mbs, ArchivesLimit = 10
-----------------------------------------------------------------------------------------------------------------
Release version       :  11.0.0.754
Application           :  Veeam.Updater, Version=11.0.0.754, Culture=neutral, PublicKeyToken=null
    • For older affected appliance versions (v3, v4, and v4.1), the entry will appear as "Main.main: Version:"
      For example: 
      MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: ============= Starting =============
MM.DD.YYYY HH:MM:SS [info    ] ### [###] Main.main: Version: 9.0.0.1087
      In this example the Veeam Updater build is less than the fixed build (9.0.0.1127) and would indicate that the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization backup appliance needs to be updated.

More Information

If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability discussed in this article.

You can verify if Veeam Backup & Replication manages any of these affected backup appliances by checking the Backup Infrastructure > Managed Servers list for any of the following entry types:

  • Nutanix AHV / Nutanix Prism Central / Nutanix AHV Cluster
  • AWS backup appliance
  • Microsoft Azure backup appliance
  • Google Cloud backup appliance
  • oVirt KVM Manager

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Veeam Backup for Microsoft Azure Vulnerability - CVE-2025-23082]]> https://www.veeam.com/kb4709 2025-01-13T00:00:00Z 2025-01-13T00:00:00Z

Veeam Backup for Microsoft Azure Vulnerability
(CVE-2025-23082)

KB ID: 4709
Product: Veeam Backup for Microsoft Azure | 7
Published: 2025-01-13
Last Modified: 2025-01-29
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.
Article Applicability

This article documents a vulnerability discovered in the Veeam Backup for Microsoft Azure backup appliance, which is used by Veeam Backup & Replication to protect Microsoft Azure workloads.

If a Veeam Backup & Replication deployment is not protecting Microsoft Azure workloads, such a deployment is not impacted by the vulnerability discussed in this article.

You can verify if Veeam Backup & Replication manages a Veeam Backup for Microsoft Azure backup appliance by checking the Backup Infrastructure > Managed Servers list for any 'Microsoft Azure backup appliance' type entries.

Issue Details

CVE-2025-23082

A vulnerability that may allow an attacker to utilize Server-Side Request Forgery (SSRF) to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Affects Veeam Backup for Microsoft Azure 7.1.0.22 and all earlier versions.

Severity: High
CVSS v3.1 Score: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: Discovered during internal testing.

Solution

This vulnerability was fixed starting in the following build of Veeam Backup for Microsoft Azure:

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Vulnerabilities Resolved in Veeam Backup & Replication 12.3]]> https://www.veeam.com/kb4693 2024-12-03T00:00:00Z 2024-12-03T00:00:00Z

Vulnerabilities Resolved in Veeam Backup & Replication 12.3

KB ID: 4693
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2
Veeam Agent for Microsoft Windows | 6.0 | 6.1 | 6.2
Published: 2024-12-03
Last Modified: 2025-03-14

All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 12.3.

Veeam Product Latest Version Download Page

Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.

Veeam Backup & Replication

Issue Details

All vulnerabilities disclosed in this section affect Veeam Backup & Replication 12.2.0.334 and all earlier version 12 builds.
Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

CVE-2024-40717

A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to execute a script with elevated privileges by configuring it as a pre-job or post-job task, thereby causing the script to be executed as LocalSystem.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2024-42451

A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to access all saved credentials in a human-readable format.

Severity: High
CVSS v3.1 Score: 7.7CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: Discovered during internal testing.

CVE-2024-42452

A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to remotely upload files to connected ESXi hosts with elevated privileges.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2024-42453

A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to control and modify the configuration of connected virtual infrastructure hosts.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2024-42455

A vulnerability that allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to connect to remote services and exploit insecure deserialization by sending a serialized temporary file collection, thereby enabling the deletion of any file on the system with service account privileges.

Severity: High
CVSS v3.1 Score: 7.1CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Source: Reported by Sina Kheirkhah of watchTowr.

CVE-2024-42456

A vulnerability that allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to gain access to privileged methods and control critical services.

Severity: High
CVSS v3.1 Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Reported via HackerOne.

CVE-2024-42457

A vulnerability that allows an authenticated user with certain assigned operator roles in the Users and Roles settings on the backup server to expose saved credentials by leveraging a combination of methods in the remote management interface.

Severity: High
CVSS v3.1 Score: 7.7CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: Discovered during internal testing.

CVE-2024-45204

A vulnerability that allows an authenticated user with an assigned role in the Users and Roles settings on the backup server to exploit insufficient permissions in credential handling, potentially leading to the leakage of NTLM hashes of saved credentials.

Severity: High
CVSS v3.1 Score: 7.7CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: Discovered during internal testing.

Solution

The vulnerabilities documented in this section were fixed starting in the following build:

Mitigation Information


The Veeam Backup & Replication vulnerabilities discussed in this section are related to the ability of an authenticated malicious user with a limited role (Viewer/Operator) to perform certain actions that are normally only possible with administrative privileges on the backup server.  To mitigate these vulnerabilities until the backup server can be upgraded to version 12.3, simply remove untrusted and/or unnecessary users from the Users and Roles settings on the backup server for the time being.

  • Review all users assigned a Role within Veeam Backup & Replication.
  • For each user with an Operator or View role, assess internal necessity and remove access for users who do not strictly need it.

Veeam Agent for Microsoft Windows

Issue Details

The vulnerability disclosed in this section affects Veeam Agent for Microsoft Windows 6.2 and all earlier version 6 builds.
Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

CVE-2024-45207

A vulnerability could lead to a DLL injection attack when the PATH environment variable is altered to include directories where an attacker can write files.

Severity: High
CVSS v3.1 Score: 7.0CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: Reported via HackerOne by Faisal Alghamdi of Saudi Aramco.

Solution

The vulnerability documented in this section was fixed starting in the following build:

Mitigation Information

The Veeam Agent for Microsoft Windows vulnerability discussed in this section can only be exploited in environments where directories that can be written to by untrusted users have been added to the PATH environment variable and whose presence is classified as a known CWE-426 weakness. As such, this vulnerability can be mitigated by removing such directories from the PATH variable.
Note: The default Windows PATH environment variable does not include paths writable by untrusted users.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449)]]> https://www.veeam.com/kb4679 2024-12-03T00:00:00Z 2024-12-03T00:00:00Z

Veeam Service Provider Console Vulnerabilities
(CVE-2024-42448 | CVE-2024-42449)

KB ID: 4679
Product: Veeam Service Provider Console | 8.1
Published: 2024-12-03
Last Modified: 2024-12-04
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.
Article Applicability

This article documents a vulnerability discovered in Veeam Service Provider Console.

This vulnerability does not affect other Veeam products (e.g., Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE).

Issue Details

All vulnerabilities disclosed in this section affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds.

Note: Private fixes for the Veeam Service Provider Console increase the build number. Therefore, if a private fix has been applied, the deployed build number may exceed the GA build number mentioned above. In such instances, any deployed build number lower than the build reference in the Solution section should be considered affected.
Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

CVE-2024-42448

From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Discovered during internal testing.

CVE-2024-42449

From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.

Severity: High
CVSS v3.1 Score: 7.1CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: Discovered during internal testing.

Solution

The vulnerability documented in this article was fixed starting in the following build of Veeam Service Provider Console:
Critical Update
We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console.
No Mitigations Available
No mitigation method is available for these vulnerabilities. The only remedy is to upgrade to the latest version of Veeam Service Provider Console.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Veeam Backup Enterprise Manager Vulnerability (CVE-2024-40715)]]> https://www.veeam.com/kb4682 2024-11-06T00:00:00Z 2024-11-06T00:00:00Z

Veeam Backup Enterprise Manager Vulnerability
(CVE-2024-40715)

KB ID: 4682
Product: Veeam Backup & Replication | 10 | 11 | 12 | 12.1 | 12.2
Published: 2024-11-06
Last Modified: 2024-11-12
Veeam Software Security Commitment
Veeam® is committed to ensuring its products protect customers from potential risks. As part of that commitment, we operate a Vulnerability Disclosure Program (VDP) for all Veeam products and perform extensive internal code audits. When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems. It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.
Article Applicability

This article documents a vulnerability discovered in Veeam Backup Enterprise Manager (VBEM), a supplementary application customers may deploy to manage Veeam Backup & Replication (VBR) using a web console.

Deploying VBEM is optional; not all environments will have it installed. As such, if VBEM was not deployed in your environment, that environment would not be impacted by this vulnerability.

Tip: You can identify if VBEM is installed by checking for the Veeam Backup Enterprise Manager service or by running the following PowerShell command on the Veeam Backup Server to see if VBR reports that it is managed by a VBEM deployment.

Get-VBRServer | Out-Null
[Veeam.Backup.Core.SBackupOptions]::GetEnterpriseServerInfo() | Format-List

Issue Details

CVE-2024-40715

This vulnerability in Veeam Backup Enterprise Manager allows attackers to bypass the authentication while performing a Man-in-the-Middle (MITM) attack.

Severity: High
CVSS v3.1 Score: 7.7AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

This vulnerability was reported by ZDI through Hacker One.

Solution

The vulnerability documented in this article was resolved with a hotfix for Veeam Backup Enterprise Manager 12.2.0.334. This hotfix is available directly via this article and was integrated into repackaged ISOs for Veeam Backup & Replication and Veeam Data Platform released on 2024-11-06.

  • For environments where Veeam Backup Enterprise Manager 12.2.0.334 is already installed, download the hotfix from the Download Information section below.
  • For environments where Veeam Backup Enterprise Manager 12.1.2.172 or older is installed, please upgrade to 12.2.0.334 using the latest Veeam Backup & Replication ISO.
     

Download Information

Download Hotfix

Filename: veeam_backup_12.2.0.334_PrivateFix_TF812030.zip

MD5: AEE65885214721E5757B8B05397590FB
SHA1: 7EFD3B89185CCB4230628A0CCA4ACE3D5BE5CD51

Deployment Information

Version Requirement

The hotfix requires the existing Veeam Backup Enterprise Manager deployment to be running 12.2.0.334. You can check which version of Veeam Backup Enterprise Manager is installed by viewing the About section of the Configuration view.

If an earlier version of Veeam Backup Enterprise Manager (12.1.2.172 or older) is deployed, upgrade to 12.2.0.334 using the latest Veeam Backup & Replication ISO, which contains the hotfix and will automatically deploy it.

  1. If Veeam Backup Enterprise Manager is installed on the same machine as Veeam Backup & Replication:
    On the Veeam Backup Server, close all open Veeam Backup & Replication Consoles, and ensure no processes named veeam.backup.shell.exe are running.
  2. Unzip the hotfix and run the hotfix installer on the machine where Veeam Backup Enterprise Manager is installed.
    (veeam_backup_12.2.0.334_PrivateFix_TF812030.exe)


Note: If running the hotfix results in the error "This update is not compatible with installed software version." it means that either:

  • Veeam Backup Enterprise Manager is not installed on the machine where the hotfix was run.

    or
  • The version of Veeam Backup Enterprise Manager installed on the machine where the hotfix was run is not 12.2.0.334.
Reboot May Be Required

Please note that a reboot may be required after installing the hotfix. 

Please plan accordingly.

Deployment Validation

As this is a hotfix, the build number of the software will not be changed. Therefore, validating that the hotfix has been deployed requires checking the hash value of the file present on the system and comparing it to the known hash value of the file included in the hotfix.
Hotfix Filename SHA1 Hash
Veeam.Backup.Enterprise.Core.dll FDC176FCE4825023F14462A51541C1DF591B28AC
Swipe to show more of the table

Check The DLL's Hash

Use the following PowerShell command to check the SHA1 hash value of the DLL.

Get-FileHash -Path 'C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\Veeam.Backup.Enterprise.Core.dll' -Algorithm SHA1

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[CVE-2023-38547 | CVE-2023-38548 | CVE-2023-38549 | CVE-2023-41723]]> https://www.veeam.com/kb4508 2023-11-06T00:00:00Z 2023-11-06T00:00:00Z

CVE-2023-38547 | CVE-2023-38548 

CVE-2023-38549 | CVE-2023-41723

KB ID: 4508
Product: Veeam ONE | 11 | 12
Veeam Recovery Orchestrator | 6.0
Veeam Disaster Recovery Orchestrator | 5.0
Veeam Availability Orchestrator | 4.0
Published: 2023-11-06
Last Modified: 2024-01-10

Veeam ONE 12.1 is not affected by the vulnerabilities discussed on this page. 

Additionally, Veeam Recovery Orchestrator 7 is not affected by these vulnerabilities as it uses Veeam ONE 12.1.

Issue Details

CVE-2023-38547

A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Critical
CVSS v3.1: 9.9

 

CVE-2023-38548

A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

Affected Version(s)*: Veeam ONE 12
Severity: Critical
CVSS v3.1 score:  9.8

 

CVE-2023-38549

A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS.
Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role.

Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Medium
CVSS v3.1 score: 4.5

 

CVE-2023-41723

A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.

Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Medium
CVSS v3.1 score: 4.3

 

*Vulnerability testing was only performed using actively supported versions of Veeam ONE.

Solution

A hotfix to resolve these vulnerabilities is available for the following versions:

  • Veeam ONE 12 P20230314 (12.0.1.2591)
  • Veeam ONE 11a (11.0.1.1880)
  • Veeam ONE 11 (11.0.0.1379)
Veeam ONE is a Component of Veeam Recovery Orchestrator

Veeam Recovery Orchestrator (formerly known as Veeam Disaster Recovery Orchestrator or Veeam Availability Orchestrator) utilizes an embedded deployment of Veeam ONE.

Customers using the following versions of Orchestrator should install the embedded Veeam ONE build's hotfix from this article.

  • Veeam Recovery Orchestrator 6 P20230419 uses Veeam ONE 12 P20230314 (build 12.0.1.2591)

    Note: Veeam Recovery Orchestrator 6 GA shipped with Veeam ONE 12.0.0.2498, which is not compatible with this hotfix. Check which version of Veeam ONE is installed; if 12.0.0.2498 is installed, update Veeam Recovery Orchestrator as documented in KB4437.
  • Veeam Disaster Recovery Orchestrator 5 uses Veeam ONE 11a (build 11.0.1.1880)
  • Veeam Availability Orchestrator 4 uses Veeam ONE 11 (build 11.0.0.1379)

 

Download Information

Check Veeam ONE Build Number

Before downloading the hotfix, check which version of Veeam ONE is installed using one of the methods below:

  • Check under Help > About in the Veeam ONE Client.
  • Check within Apps and Features or Programs and Features (Appwiz.cpl).
  • Run the following command on the Veeam ONE server:
Get-Package -name "Veeam ONE*"
Hotfix Must Match Installed Build

The hotfixes below were built for the specific Veeam ONE build numbers listed.

If a hotfix package intended for a specific build number is deployed on a Veeam ONE server that does not have that matching build installed, the Veeam ONE Reporting Service will fail to start.

Please review the steps in the deployment section and heed the advice to double-check which Veeam ONE build is installed before applying the hotfix.

Download Hotfix That Matches Installed Build Number

Hotfix for 12.0.1.2591

For Veeam ONE 12 P20230314 (build 12.0.1.2591)

MD5: 4BA7E812769F0C4FB98331E20B498C01
SHA1: 1604B837E25041D863B432A6C3D1EE12E640ED62
 
Attention: This hotfix is not compatible with Veeam ONE 12 GA (build 12.0.0.2498). If Veeam ONE 12.0.0.2498 is installed, it must be updated to 12.0.1.2591 before applying the hotfix. Applying the hotfix to 12.0.0.2498 will cause the Veeam ONE Reporting Service to fail to start.

Hotfix for 11.0.1.1880

For Veeam ONE 11a (build 11.0.1.1880)
 
MD5: 0DCDD67FE151FFC8242469B75AED3025
SHA1: 1AFB3B762BF46B76337A94D30066EA7F3AABBCB1

Hotfix for 11.0.0.1379

For Veeam ONE 11 (build 11.0.0.1379)
 
MD5: 93B87925C4AFB030DDA6388DF31E5984
SHA1: 74AD4B5A18A16276F74043F3098D6ED6132C97D0

Deployment Information

  1. Verify the version of Veeam ONE installed using one of the methods below:
    • Check under Help > About in the Veeam ONE Client.
    • Check within Apps and Features or Progams and Features (Appwiz.cpl).
    • Run the following command on the Veeam ONE server:
Get-Package -name "Veeam ONE*"
Note: If Veeam ONE 12.0.0.2498 is installed, it must be updated to 12.0.1.2591 before installing the hotfix.
  1. Download the hotfix package that matches the installed Veeam ONE build number.
  2. Stop the following services on the Veeam ONE server:
    • Veeam ONE Monitoring Service
    • Veeam ONE Reporting Service
  3. Replace the existing files with the files provided in the hotfix.
    Note: The contents of the hotfix zip match the folder structure of the Veeam ONE Reporter ServerDefault location:
    C:\Program Files\Veeam\Veeam ONE\     folder. The hotfix files must be placed in the folders that match the folder within the hotfix zip.
    • DLLs in the root of the hotfix zip go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\
      • Veeam.Reporter.GrpcService.dll
      • Veeam.Reporter.WebApiService.dll
      • Veeam.Reporter.PackInstaller.dll
      • Veeam.Reporter.GrpcShared.dll
        This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
    • Files in the Collecting folder within the hotfix go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\Collecting\
      • Veeam.Retriever.exe
      • Veeam.Reporter.GrpcShared.dll
        This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
    • Files in the Reporting folder within the hotfix go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\Reporting\
      • Veeam.Reporter.Reporting.exe
      • Veeam.Reporter.GrpcShared.dll
        This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
  4. Start the services stopped in Step 3.

 

If you have any questions or require assistance, please create a Veeam Support case.

Deployment Validation

As this is a hotfix, the build number of the software will not change. As such, validating the hotfix has been deployed requires checking the hash value of the files present and comparing them to the known hash values of the files included in the hotfix.

Click the version row to expand the list of files included with the hotfix and their known SHA1 hash values.

Filename SHA1 Hash
Veeam ONE  12.0.1.2591
\Collecting\Veeam.Reporter.GrpcShared.dll AC5A2945728E8C60BCF4E879BCAC6B235F38B5B3
\Collecting\Veeam.Retriever.exe 8FCA25B1CD81D89E3B0A977B8AF5255487610969
\Reporting\Veeam.Reporter.GrpcShared.dll 827E1929916972E6ABA25DDA15F0CD5474EBBFB8
\Reporting\Veeam.Reporter.Reporting.exe D1EC3C8E25C654106481F7DF9281BB271461E7AD
Veeam.Reporter.GrpcService.dll 269AFC1424BC58612AC97B08520473FEEF518D4A
Veeam.Reporter.GrpcShared.dll F0ADE6C781D673B9DB84F14AD0C2D0BE847873BD
Veeam.Reporter.PackInstaller.dll B02B20BB6E45E7E9DB2D68E8FDDAADF0ADA4BCF5
Veeam.Reporter.WebApiService.dll 4406F2F4F6D7F07811946D2637DD8BB8322E91E0
Veeam ONE 11.0.1.1880
\Collecting\Veeam.Retriever.exe 21D989ACF3AA191079D40FDAE06AE1B8AFBC9C8F
\Reporting\Veeam.Reporter.Reporting.exe 7359FE86A6160EF1C0C9CA913E7216DA622D6F32
Veeam.Reporter.GrpcService.dll B6B4404D50817EB73927F211A570767D6A0D3DE0
Veeam.Reporter.PackInstaller.dll CEB6EFCCB4CCA079501BE7A6DA225F2126761044
Veeam.Reporter.WebApiService.dll 28A7D7411EF41E939D1B8D6F669966EDB1C61B12
Veeam ONE 11.0.0.1379
\Collecting\Veeam.Retriever.exe AE9EE91C786D097F65B8CB26CCA253E1B4724C2C
\Reporting\Veeam.Reporter.Reporting.exe DDBE4199AA973CDD71A4F3A68B5B68CD109BFF1D
Veeam.Reporter.GrpcService.dll 990A1BAB5C408DC2CB53B2637E4FABCBDB943E96
Veeam.Reporter.PackInstaller.dll 717F85C39D2FAB41D720ABDDAB69B03C3AAD5ADD
Veeam.Reporter.WebApiService.dll 1957C5C23C89348A9F0B9405CECC3C2985F858BB
Swipe to show more of the table

Check Existing File's Hash

To check the hash value of an existing file, use the following PowerShell command with the correct path to the file being checked.

Get-FileHash -Path <file-path> -Algorithm SHA1

Example:

Get-FileHash -Path 'C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\Veeam.Reporter.PackInstaller.dll' -Algorithm SHA1

Automated Hotfix Deployment Validator

The following script has been developed to provide customers a quick way to check which version of Veeam ONE is presently installed and whether the hotfix has been deployed.

Click to expand and view PowerShell script. 
#Display Installed Veeam ONE Version
Write-Host "Checking for installed Veeam ONE..."`n
$veeamOnePackage = Get-Package -ProviderName msi | Where-Object { $_.Name -eq "Veeam ONE Reporter Server" }
if ($null -eq $veeamOnePackage) {
    Write-Host "Veeam ONE does not appear to be installed on this machine."`n -ForegroundColor Red
	BREAK
} else {
    $installedVersion = $veeamOnePackage.Version
    Write-Host "The following Veeam ONE Build is installed: $installedVersion"`n -ForegroundColor Green

		# If the installed version is 12.0.0.2498 and display an update message and terminate.
		if ($installedVersion -eq "12.0.0.2498") {
			Write-Host "ERROR: Installed Veeam ONE build is 12.0.0.2498, update to build 12.0.1.2591 is required. See KB4430"`n -ForegroundColor Red
		BREAK
		}
}

# Define Veeam ONE Reporter Server Root Folder
$installLocation = $veeamOnePackage.Source    
$rootFolder = Join-Path -Path $installLocation -ChildPath "Veeam ONE Reporter Server\"

# List of files to check
$fileList = @(
    "Veeam.Reporter.GrpcService.dll",
    "Veeam.Reporter.WebApiService.dll",
    "Veeam.Reporter.PackInstaller.dll",
    "Veeam.Reporter.GrpcShared.dll",
    "Collecting\Veeam.Retriever.exe",
    "Collecting\Veeam.Reporter.GrpcShared.dll",
    "Reporting\Veeam.Reporter.Reporting.exe",
    "Reporting\Veeam.Reporter.GrpcShared.dll"
)

# Dictionary of known file hash values
$hashList = @{
    "Veeam.Reporter.GrpcService.dll" = @{
        "SHA1" = @("269AFC1424BC58612AC97B08520473FEEF518D4A", "B6B4404D50817EB73927F211A570767D6A0D3DE0", "990A1BAB5C408DC2CB53B2637E4FABCBDB943E96")
    }
    "Veeam.Reporter.WebApiService.dll" = @{
        "SHA1" = @("4406F2F4F6D7F07811946D2637DD8BB8322E91E0", "28A7D7411EF41E939D1B8D6F669966EDB1C61B12", "1957C5C23C89348A9F0B9405CECC3C2985F858BB")
    }
    "Veeam.Reporter.PackInstaller.dll" = @{
        "SHA1" = @("B02B20BB6E45E7E9DB2D68E8FDDAADF0ADA4BCF5", "CEB6EFCCB4CCA079501BE7A6DA225F2126761044", "717F85C39D2FAB41D720ABDDAB69B03C3AAD5ADD")
    }
    "Veeam.Reporter.GrpcShared.dll" = @{
        "SHA1" = @("F0ADE6C781D673B9DB84F14AD0C2D0BE847873BD")
    }
    "Collecting\Veeam.Retriever.exe" = @{
        "SHA1" = @("8FCA25B1CD81D89E3B0A977B8AF5255487610969", "21D989ACF3AA191079D40FDAE06AE1B8AFBC9C8F", "AE9EE91C786D097F65B8CB26CCA253E1B4724C2C")
    }
    "Collecting\Veeam.Reporter.GrpcShared.dll" = @{
        "SHA1" = @("AC5A2945728E8C60BCF4E879BCAC6B235F38B5B3")
    }
    "Reporting\Veeam.Reporter.Reporting.exe" = @{
        "SHA1" = @("D1EC3C8E25C654106481F7DF9281BB271461E7AD", "7359FE86A6160EF1C0C9CA913E7216DA622D6F32", "DDBE4199AA973CDD71A4F3A68B5B68CD109BFF1D")
    }
    "Reporting\Veeam.Reporter.GrpcShared.dll" = @{
        "SHA1" = @("827E1929916972E6ABA25DDA15F0CD5474EBBFB8")
    }
}

# Creat array to store table data
$tableData = @()

# Check files and collect data for the table
foreach ($file in $fileList) {
	# Skip checking Veeam.Reporter.GrpcShared.dll for builds 11.0.1.1880 or 11.0.0.1379 as that file was only relevant to 12.0.1.2591.
	if ($file -like "*Veeam.Reporter.GrpcShared.dll") {
		$fileVersion = (Get-Item (Join-Path -Path $rootFolder -ChildPath $file)).VersionInfo.FileVersion
		if ($fileVersion -eq "11.0.0.1379" -or $fileVersion -eq "11.0.1.1880") {
			continue
		}
	}

	$filePath = Join-Path -Path $rootFolder -ChildPath $file
	$fileDetails = $hashList[$file]

	# identify file version and determine SHA1 hash
	if (Test-Path $filePath) {
		$fileVersion = (Get-Item $filePath).VersionInfo.FileVersion
		$fileSHA1 = Get-FileHash -Path $filePath -Algorithm SHA1 | Select-Object -ExpandProperty Hash
		$hashVerified = $false

		# compare file on disk hash to known hotfix hash values
		foreach ($hash in $fileDetails.SHA1) {
			if ($fileSHA1 -eq $hash) {
				$hashVerified = $true
				break
			}
		}
	} else {
		$fileVersion = "N/A"
		$hashVerified = $false
	}

	# Create an object for each file and add it to the table data array
	$fileData = [PSCustomObject]@{
		FileName = $file
		Version = $fileVersion
		"HotFix Installed" = $hashVerified
	}
	$tableData += $fileData
}

# Display the table
$tableData | Format-Table -AutoSize

More Information

The vulnerabilities associated with CVE-2023-38547, CVE-2023-38548, and CVE-2023-38549 were reported by Jarmo Puttonen(@putsi).

 

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Security Issue in Microsoft Azure Plug-In for Veeam Backup & Replication]]> https://www.veeam.com/kb4491 2023-09-07T00:00:00Z 2023-09-07T00:00:00Z

Security Issue in Microsoft Azure Plug-In for Veeam Backup & Replication

KB ID: 4491
Product: Veeam Backup & Replication | 12
Published: 2023-09-07
Last Modified: 2023-09-07

Issue Details

This article highlights a security-related issue in Microsoft Azure Plug-In for Veeam Backup & Replication 12.1.5.99 that may allow a user accessing the Veeam Backup & Replication server to obtain the administrator credentials of the Veeam Backup for Microsoft Azure backup appliance, potentially allowing an attacker to gain access to the Veeam Backup for Microsoft Azure appliance.

This issue explicitly affects any environment where an existing deployment of Veeam Backup for Microsoft Azure was upgraded to version 5a while using Microsoft Azure Plug-In for Veeam Backup & Replication version 12.1.5.99. During the appliance upgrade process, administrator credentials were requested to update the Veeam Backup for Microsoft Azure backup appliance's operating system from Ubuntu 18.04 LTS to Ubuntu 22.04 LTS. That Veeam Backup for Microsoft Azure backup appliance administrator password was stored in the Updater log file: C:\ProgramData\Veeam\Backup\Plugins\Microsoft Azure\Logs\<backup_appliance_name>\Veeam.Azure.Updater.

Solution

To address this issue, Veeam has released a new build of Microsoft Azure Plug-In for Veeam Backup & Replication.

It is advised to install this update as soon as possible.

Issue fixed starting in: Microsoft Azure Plug-In for Veeam Backup & Replication 12.1.5.106

Update Procedure

  1. Obtain Microsoft Azure Plug-In for Veeam Backup & Replication 12.1.5.106.
  2. Uninstall Microsoft Azure Plug-In for Veeam Backup & Replication 12.1.5.99.
  3. Install Microsoft Azure Plug-In for Veeam Backup & Replication 12.1.5.106.
  4. Update the password for the account used by Veeam Backup & Replication to connect to Veeam Backup for Microsoft Azure.
    1. Update the password in Veeam Backup for Microsoft Azure first.
    2. Then, update the password within Veeam Backup & Replication.

When version 12.1.5.106 of the Plug-In is installed, the Plug-In will replace the backup appliance administrator password in the existing updater log files with asterisks (*). During future update procedures, the Plug-In will log only asterisks (*) instead of the actual Veeam Backup for Microsoft Azure backup appliance administrator password.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Veeam Backup for Google Cloud - Critical Vulnerability (CVE-2022-43549)]]> https://www.veeam.com/kb4374 2022-11-08T00:00:00Z 2022-11-08T00:00:00Z

Veeam Backup for Google Cloud - Critical Vulnerability (CVE-2022-43549)

KB ID: 4374
Product: Veeam Backup for Google Cloud | 1.0 | 3.0
Published: 2022-11-08
Last Modified: 2025-03-28
Automatic Patching of Components

The fix for the vulnerability discussed in this article has been automatically deployed to all Veeam Backup for Google Cloud Backup Appliances that have been configured to have access to repository.veeam.com. Most users will have no additional actions to perform beyond confirming the Veeam Updater component version.

For deployments where the Veeam Backup for Google Cloud Backup Appliance does not have network access to the Veeam Update Repository, the fix must be deployed manually.

Vulnerability Details

During internal testing, a vulnerability was discovered within the Backup Appliance component of Veeam Backup for Google Cloud that allows users to bypass authentication mechanisms.

Severity: Critical
CVSS v3 Score: 10.0
Status: Resolved

Solution

A fix has been released to resolve the discovered vulnerability in Veeam Backup for Google Cloud versions 1 and 3. For most users, no actions will be needed, as the Veeam Updater component will have automatically installed this fix during its daily check for updates1. After the fix has been installed, the Backup Appliance will be restarted automatically. For environments where the Veeam Backup for Google Cloud backup appliance does not have access to repository.veeam.com, the fix will have to be manually deployed2 or internet access configured to allow access to the update server.

Verify Update Deployment

The fix for the vulnerability documented in this article is being shipped alongside Veeam Updater version 6.0.0.814 and higher.
The Veeam Updater component version is displayed in the top-right of the web interface.3
Patch Version
Shown above is the location of the Veeam Updater component version.

More Information

The Veeam Updater checks for updates every 24 hours. The Veeam Updater will automatically install updates to the Veeam Updater component and critical updates for other components.

2 The update check requires that the Veeam Backup for Google Cloud backup appliance have internet access and be able to reach repository.veeam.com as documented in the product user guideIf the Veeam Backup for Google Cloud backup appliance does not have internet access, a manual update process is available. Please contact Veeam Support for assistance. After manual updating, the Updater UI will have to be reopened to see the updated version listed.

3 If the Veeam Updater UI is opened before it has updated automatically, clicking "Check for Updates..." will cause the Veeam Updater UI to download the update and become inaccessible while the Backup Appliance is automatically restarted to apply the fix. After reopening the Veeam Updater, the new version number will be displayed.

 

 

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[XSS Vulnerability in Veeam Management Pack for Microsoft System Center v8]]> https://www.veeam.com/kb4338 2022-07-12T00:00:00Z 2022-07-12T00:00:00Z

XSS Vulnerability in Veeam Management Pack for Microsoft System Center v8

KB ID: 4338
Product: Veeam Management Pack | 8.0
Published: 2022-07-12
Last Modified: 2022-07-12

Vulnerability Details

A reflected DOM-Based XSS vulnerability has been discovered in the Help directory of Veeam Management Pack for Microsoft System Center 8.0.

This vulnerability could be exploited by an attacker by convincing a legitimate user to visit a crafted URL on a Veeam Management Pack for Microsoft System Center server, allowing for the execution of arbitrary scripts.

 

CVE: CVE-2022-32225

Solution

Veeam Management Pack for Microsoft System Center 8.0 has reached End-of-Fix, and all users are advised to upgrade to the latest version of Veeam Management Pack for Microsoft System Center.

This vulnerability does not affect Veeam Management Pack for Microsoft System Center version 9.0.

Temporary mitigation

If upgrading to the latest version of Veeam Management Pack for Microsoft System Center is not possible, this vulnerability can be mitigated by removing the Help directory.

Default location:

C:\Program Files (x86)\Veeam\Veeam Virtualization Extensions for System Center\User Interface\Help

More Information

This vulnerability was reported by Mateusz Dabrowski.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]> <![CDATA[Veeam Backup for Microsoft Azure - Updater Component Vulnerability]]> https://www.veeam.com/kb4261 2022-01-06T00:00:00Z 2022-01-06T00:00:00Z

Veeam Backup for Microsoft Azure - Updater Component Vulnerability

KB ID: 4261
Product: Veeam Backup for Microsoft Azure | 2.0 | 3.0
Published: 2022-01-06
Last Modified: 2025-03-17
Automatic Patching of Veeam Updater component

The fix for the vulnerability discussed in this article has been automatically deployed to all Veeam Backup for Microsoft Azure backup appliances that have been configured to have access to repository.veeam.com. Most users will have no additional actions to perform beyond confirming the Veeam Updater component version.

For deployments where the Veeam Backup for Microsoft Azure backup appliance does not have internet access to the Veeam update server, the fix must be deployed manually.

Vulnerability Details

During internal testing, a vulnerability was discovered within the Veeam Updater component of Veeam Backup for Microsoft Azure that allows users to bypass authentication mechanisms and execute arbitrary code.
At this time, there is no evidence that this has been exploited in the wild.

Severity: Critical
CVSS v3 Score: 10.0
Status: Resolved

Solution

A fix has been released to resolve the discovered vulnerability in Veeam Backup for Microsoft Azure versions 2 and 3. For most users, no actions will be needed, as the Veeam Updater component will have automatically installed this fix during its daily check for updates1. However, for environments where the Veeam Backup for Microsoft Azure backup appliance does not have access to repository.veeam.com, the fix will have to be manually deployed2 or internet access configured to allow access to the update server.

The Veeam Updater component version is displayed in the top-right of the web interface.3
The vulnerability documented in this article is corrected starting in Veeam Updater version 5.0.0.633.

Shown in screenshot of hotfixed version of Veeam Updater version
Shown above is the location of the Veeam Updater component version.
This vulnerability does not affect Veeam Backup for AWS nor Veeam Backup for Google Cloud Platform.

More Information

The Veeam Updater checks for updates every 24 hours. The Veeam Updater will automatically install updates to the Veeam Updater component. Updates to components other than the Veeam Updater must be applied by the user.

2 The update check requires that the Veeam Backup for Microsoft Azure backup appliance have internet access and be able to reach repository.veeam.com as documented in the product user guideIf the Veeam Backup for Microsoft Azure backup appliance does not have internet access, a manual update process is available. Please contact Veeam Support for assistance. After manual updating, the Updater UI will have to be reopened to see the updated version listed.

3 If the Veeam Updater UI is opened before it has updated automatically, clicking "Update" will cause the Veeam Updater UI to download the update and become inaccessible until reopened. After reopening the Veeam Updater, the new version number will be displayed.

 

 

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

]]>