Veeam Backup: Code smuggling possible through MitM gap in updater

An updater is used in Veeam Backup Appliances that has a security vulnerability. Attackers can use it to infiltrate and execute malicious code. Updates are available.

Veeam discusses the vulnerability in a security advisory. “A vulnerability in the Veeam Updater component allows attackers to use a man-in-the-middle attack to execute arbitrary code on affected appliances with root privileges,” writes the manufacturer (CVE-2025-23114, CVSS 9.0, risk “critical”). This affects the current version of Veeam Backup for Salesforce 3.1 and earlier.

Confusion about affected software versions

The attempt to list the affected versions is somewhat thwarted by the marketing efforts to minimize the gap and impact. Specifically affected are Veeam Backup for AWS 6a and 7, for Google Cloud 4 and 5, for Microsoft Azure 6a and 6, for Nutanix AHV 5.0 and 5.1 as well as for Oracle Linux Virtualization Manager and Red Hat Virtualization 3, 4.0 and 4.1. However, updated versions have been available for some of these since the middle of last year. For Veeam Backup for Salesforce, the updater component is now available in version 7.9.0.1124, which also fixes the vulnerability.

Anyone using Veeam Backup & Replication with these appliances must update the software to version 12.3 or later and update the appliances to the aforementioned corrected versions or later. The updated packages should be available for download from the Veeam repository. However, the appliances and software contain an easy-to-use update mechanism that is active by default and should have already performed the updates. IT managers should check this and update if necessary.

Security gaps in the Veeam Service Provider Console (VSPC) were last noticed last December. A critical vulnerability allowed malicious code to be injected and executed, while a high-risk vulnerability allowed access to NTLM hashes. Here, too, updates are available to patch the vulnerabilities.

(dmk)