High

RCE in Veeam Backup & Replication Backup Server

IdentifiersCVE-2025-48984CWE-502

CVE-2025-48984 is a critical remote code execution vulnerability in the Backup Server component of Veeam Backup & Replication. Based on the provided content, the flaw allows an authenticated Active Directory domain user to execute arbitrary code remotely on the Backup Server. The issue affects Veeam Backup & Replication 12.3.2.3617 and earlier version 12 builds, and only domain-joined backup servers are reported as impacted. The supporting content does not provide the exact vulnerable function or code path for CVE-2025-48984 specifically, but it is described as closely related to other Veeam deserialization issues disclosed at the same time, indicating unsafe deserialization is the likely underlying class of flaw.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary remote code execution on the Veeam Backup Server by an authenticated domain user. Because the affected system is backup infrastructure, compromise can have high operational impact, including takeover of the backup server, execution of attacker-controlled payloads in the server security context, potential access to backup data and infrastructure management functions, and follow-on actions against connected systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting access to the Backup Server to only trusted administrative principals, minimizing or eliminating domain-user access paths to backup infrastructure, and applying Veeam security hardening best practices. Because the content states only domain-joined backup servers are affected, isolating backup infrastructure and avoiding unnecessary domain integration may reduce risk where operationally feasible. These are interim measures and not substitutes for upgrading.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to version 12.3.2.4165 or later, as the provided content states this release patches CVE-2025-48984. Veeam advisory KB4771 is referenced as the official patch guidance. The content also recommends backing up configuration and data before installing the update and verifying the installed version after the upgrade. Version 13 is stated to be unaffected.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

zeropath blogNews

Oct 30, 2025

Veeam Backup & Replication CVE-2025-48983: Brief Summary of Critical Remote Code Execution Vulnerability - ZeroPath Blog | ZeroPath

A critical remote code execution vulnerability in the Veeam Backup Server component affecting authenticated domain users, described as closely related to CVE-2025-48983 and using similar exploitation techniques.

security online infoNews

Oct 15, 2025

Critical RCE Flaws CVE-2025-48983 & CVE-2025-48984 (CVSS 9.9) Found in Veeam Backup & Replication

A critical remote code execution vulnerability in Veeam Backup & Replication with a CVSS score of 9.9.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7