## New Threat Emerges for Veeam Backup & Replication Users
Veeam Backup & Replication, an integral component of many companies’ data protection strategies, is reportedly facing a serious security threat. A listing has surfaced on a dark web marketplace, where a seller under the alias “SebastianPereiro” claims to have discovered a remote-code-execution (RCE) exploit targeting specific builds of Veeam 12.x.
### Details of the Exploit
Referred to as the “Bug of June 2025”, this exploit allegedly circumvents standard authentication methods, allowing unauthorized users full control over servers. Initial indications suggest this flaw could be related to CVE-2025-23121, although there has been no official proof-of-concept released to corroborate these claims.
The listing notes that successfully executing this exploit requires merely any valid Active Directory account. This significantly lowers the risk for attackers who might have acquired domain credentials through tactics such as phishing or lateral movement within an organization’s network.
Prospective buyers are required to pay $7,000 in cryptocurrency for this exploit and are encouraged to directly message the seller for transaction details.
### Implications of the Exploit
While there’s a lack of publicly available proof-of-concept, the potential ramifications for organizations utilizing Veeam Backup & Replication are substantial. Compromised systems could be exploited to exfiltrate sensitive data, encrypt existing backups, or even delete them permanently.
Experts from ThreatMon point out that businesses operating Veeam Backup & Replication across mixed Windows and Linux environments may find themselves particularly vulnerable. This is primarily due to the varied levels of logging and patch management typically present in such setups.
Firms that postpone patching—often due to testing requirements or compliance issues—could inadvertently lengthen their exposure to this vulnerability, increasing the chances of a successful cyberattack.
### Recommended Security Measures
To mitigate the risks associated with this exploit, security professionals should prioritize the review of Active Directory accounts with elevated privileges. It is also essential to confirm that all Veeam servers are updated with the latest patches and to monitor for any unusual activity involving service accounts.
#### Understanding the Infection Mechanism
This exploit appears to exploit a vulnerability linked to inadequate input validation in Veeam’s REST API endpoint. An attacker can authenticate using any Active Directory account and submit a carefully crafted JSON payload to the `/api/sessions/startBackup` endpoint. This initiates shell commands directly within the backup session creation process.
A simplified PowerShell code snippet that illustrates this might look something like this:
powershell
$uri = “https://veeam-server:4443/api/sessions/startBackup”
$payload = @{
jobName = “WeeklyBackup”;
preScript = “powershell -Enc SQBuAG…” # Base64-encoded malicious command
} | ConvertTo-Json
Invoke-RestMethod -Uri $uri -Method Post -Body $payload -Credential (Get-Credential) -UseBasicParsing
In this scenario, the payload directs the system to execute arbitrary PowerShell commands using the permissions of the Veeam service account. This grants the attacker substantial control over backup jobs and repository content.
### Ongoing Monitoring and Prevention
It’s critical for organizations to establish continuous monitoring of API traffic and enforce strict hygiene practices around Active Directory accounts as part of a comprehensive defense strategy. Recognizing and addressing this potential attack vector could be vital in safeguarding sensitive data and maintaining the integrity of backup systems.
