Rescana Cybersecurity Report: CVE-2025-23114

Feb 2025

Executive Summary

CVE-2025-23114 is a critical vulnerability identified in the Veeam Updater component, which is used by several Veeam backup products. This vulnerability allows Man-in-the-Middle (MitM) attackers to execute arbitrary code on the affected server due to improper validation of TLS certificates. The vulnerability has been assigned a CVSS v3.1 score of 9.0, indicating its critical nature.

Affected Sectors and Countries

Currently, there is no specific information on sectors or countries targeted by APT groups exploiting CVE-2025-23114. However, given the nature of the vulnerability, organizations using Veeam products across various sectors should remain vigilant.

Technical Information

The vulnerability affects the following Veeam products: Veeam Backup for Salesforce (versions 3.1 and older), Veeam Backup for Nutanix AHV (versions 5.0 and 5.1), Veeam Backup for AWS (versions 6a and 7), Veeam Backup for Microsoft Azure (versions 5a and 6), Veeam Backup for Google Cloud (versions 4 and 5), and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization (versions 3, 4.0, and 4.1).

The vulnerability can be exploited by attackers positioned between the vulnerable Veeam appliance and its update server. By intercepting the communication, attackers can execute arbitrary code with root-level permissions on the affected server. This poses a significant risk as it could lead to unauthorized access and control over critical backup systems. The improper validation of TLS certificates allows attackers to impersonate the update server, thereby injecting malicious updates or commands.

The attack vector is particularly concerning for environments where Veeam products are used to manage backups of sensitive data. The potential for data exfiltration, system compromise, and lateral movement within the network is high. Organizations must prioritize patching and securing their Veeam infrastructure to prevent exploitation.

Exploitation in the Wild

As of the latest reports, there are no confirmed instances of CVE-2025-23114 being actively exploited in the wild. Additionally, no specific APT groups have been identified as exploiting this vulnerability according to available data. However, the high CVSS score and the nature of the vulnerability suggest that it could become a target for threat actors in the future.

APT Groups using this vulnerability

There is currently no evidence of specific APT groups exploiting CVE-2025-23114. However, given the critical nature of the vulnerability, it is advisable for organizations to monitor threat intelligence sources for any emerging threats related to this vulnerability.

Affected Product Versions

The affected product versions include Veeam Backup for Salesforce (versions 3.1 and older), Veeam Backup for Nutanix AHV (versions 5.0 and 5.1), Veeam Backup for AWS (versions 6a and 7), Veeam Backup for Microsoft Azure (versions 5a and 6), Veeam Backup for Google Cloud (versions 4 and 5), and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization (versions 3, 4.0, and 4.1).

Workaround and Mitigation

Veeam has released updates to address this vulnerability. Users are advised to upgrade to the latest versions of the affected products, which include the patched Veeam Updater component. Automatic updates are enabled for all backup appliances, ensuring that supported versions automatically receive the necessary updates. Additionally, organizations should consider implementing network segmentation and monitoring to detect any unusual activity that may indicate an attempted exploitation.

References

For more detailed information on CVE-2025-23114, please refer to the following resources: National Vulnerability Database (NVD): CVE-2025-23114, Veeam Knowledge Base: KB4712, SOCRadar: Critical Veeam Vulnerability.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities. For any questions regarding this report or other cybersecurity concerns, please reach out to our team at ops@rescana.com. We are here to support you in safeguarding your digital assets.