Introduction
A single domain user account can now compromise the core of enterprise backup infrastructure if left unpatched. The critical remote code execution vulnerability CVE-2025-48983 in Veeam Backup & Replication's Mount service directly exposes backup hosts to arbitrary code execution by any authenticated domain user. This risk is especially significant given Veeam's dominant position in the backup and disaster recovery market, with its software deployed in thousands of organizations worldwide. Veeam Backup & Replication is a cornerstone for data protection in virtual, physical, and cloud environments, making any vulnerability in its core services a high-impact event for the industry.
Technical Information
CVE-2025-48983 is a remote code execution vulnerability in the Mount service of Veeam Backup & Replication, specifically affecting version 12 and all earlier builds. The vulnerability is rooted in the .NET Remoting channel used by the Mount service, which relies on object serialization and deserialization for remote communication. Veeam attempted to secure this process by implementing a custom binary formatter with a whitelist of allowed classes. However, the whitelist is too broad, allowing attackers to exploit gadget chains within whitelisted classes to achieve arbitrary code execution.
The attack requires only that the target Veeam Backup & Replication server is joined to an Active Directory domain. Any authenticated domain user can connect to the Mount service and send a specially crafted serialized object. When the Mount service deserializes this object, the gadget chain is triggered, resulting in code execution with the privileges of the Mount service process. This is not possible in workgroup deployments or on the Veeam Software Appliance, and version 13 of Veeam Backup & Replication is not affected by this issue.
The vulnerability is closely related to CVE-2025-48984, which affects the Backup Server component using similar exploitation techniques. Both vulnerabilities highlight the risks of unsafe deserialization in .NET applications, especially when relying on blacklists or overly permissive whitelists. Previous research and advisories have shown that such approaches are insufficient to prevent exploitation, as attackers can often find exploitable gadget chains in allowed classes.
Patch Information
Veeam has proactively addressed critical vulnerabilities in its Backup & Replication software by releasing version 12.3.2.4165. This update is essential for mitigating risks associated with remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities identified in earlier versions.
Key Vulnerabilities Addressed:
-
CVE-2025-48983: A critical flaw in the Mount service allowing authenticated domain users to execute arbitrary code on backup infrastructure hosts.
-
CVE-2025-48984: A critical vulnerability enabling authenticated domain users to perform RCE on the Backup Server.
-
CVE-2025-48982: A high-severity issue in Veeam Agent for Microsoft Windows that could lead to LPE if an administrator restores a malicious file.
Patch Implementation:
To secure your systems, follow these steps:
-
Download the Update: Obtain the latest version (12.3.2.4165) from the official Veeam website.
-
Backup Configuration: Before proceeding, ensure you have a complete backup of your current configuration and data.
-
Install the Update: Run the installer and follow the on-screen instructions to complete the upgrade.
-
Verify Installation: After installation, confirm the version number to ensure the update was successful.
Additional Recommendations:
-
Review System Configurations: Post-update, assess your system settings to ensure they align with security best practices.
-
Monitor Systems: Keep an eye on system logs and performance metrics to detect any anomalies.
-
Stay Informed: Regularly check for updates and advisories from Veeam to maintain optimal security.
By promptly applying this patch, you significantly reduce the risk of exploitation and enhance the resilience of your backup infrastructure.
For detailed information, refer to Veeam's official advisory: Veeam KB4771.
Affected Systems and Versions
CVE-2025-48983 affects the following:
- Veeam Backup & Replication version 12.3.2.3617 and all earlier version 12 builds
- Only impacts backup infrastructure servers that are joined to an Active Directory domain
- Workgroup-based deployments and Veeam Software Appliances are not affected
- Veeam Backup & Replication version 13 is not impacted
Vendor Security History
Veeam has experienced several critical vulnerabilities in its Backup & Replication product in recent years. Notably, CVE-2024-40711 and CVE-2025-23120 were both critical deserialization vulnerabilities that allowed remote code execution. The company typically responds quickly to reported issues, releasing patches and advisories in coordination with security researchers. However, the recurrence of similar vulnerabilities suggests a need for architectural changes, which Veeam has indicated are addressed in version 13.
