New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack

Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems.

The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0.

"A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions," Veeam said in an advisory.

The shortcoming impacts the following products -

• Veeam Backup for Salesforce — 3.1 and older
• Veeam Backup for Nutanix AHV — 5.0 | 5.1 (Versions 6 and higher are unaffected by the flaw)
• Veeam Backup for AWS — 6a | 7 (Version 8 is unaffected by the flaw)
• Veeam Backup for Microsoft Azure — 5a | 6 (Version 7 is unaffected by the flaw)
• Veeam Backup for Google Cloud — 4 | 5 (Version 6 is unaffected by the flaw)
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1 (Versions 5 and higher are unaffected by the flaw)

It has been addressed in the below versions -

• Veeam Backup for Salesforce - Veeam Updater component version 7.9.0.1124
• Veeam Backup for Nutanix AHV - Veeam Updater component version 9.0.0.1125
• Veeam Backup for AWS - Veeam Updater component version 9.0.0.1126
• Veeam Backup for Microsoft Azure - Veeam Updater component version 9.0.0.1128
• Veeam Backup for Google Cloud - Veeam Updater component version 9.0.0.1128
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization - Veeam Updater component version 9.0.0.1127

"If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability," the company noted.