Search
Find a vulnerability
Search criteria
4 vulnerabilities found for Backup for Microsoft Azure by Veeam
CVE-2025-23114 (GCVE-0-2025-23114)
Vulnerability from nvd – Published: 2025-02-05 01:45 – Updated: 2025-03-13 18:23
VLAI
Summary
A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.veeam.com/kb4712 |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Veeam | Backup for AWS |
Affected:
7.0 , ≤ 7.0
(semver)
|
|
| Veeam | Backup for Microsoft Azure |
Affected:
6.0 , ≤ 6.0
(semver)
|
|
| Veeam | Backup for Google Cloud |
Affected:
5.0 , ≤ 5.0
(semver)
|
|
| Veeam | Backup for Nutanix AHV |
Affected:
5.1 , ≤ 5.1
(semver)
|
|
| Veeam | Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization |
Affected:
4.1 , ≤ 4.1
(semver)
|
|
| Veeam | Backup for Salesforce |
Affected:
3.1 , ≤ 3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:47:20.649153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:23:04.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Backup for AWS",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "7.0",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Microsoft Azure",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "6.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Google Cloud",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "5.0",
"status": "affected",
"version": "5.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Nutanix AHV",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "affected",
"version": "4.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Salesforce",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T01:45:03.336Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4712"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-23114",
"datePublished": "2025-02-05T01:45:03.336Z",
"dateReserved": "2025-01-11T01:00:00.617Z",
"dateUpdated": "2025-03-13T18:23:04.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23082 (GCVE-0-2025-23082)
Vulnerability from nvd – Published: 2025-01-14 01:46 – Updated: 2025-01-14 15:51
VLAI
Summary
Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.veeam.com/kb4709 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Veeam | Backup for Microsoft Azure |
Affected:
7.1 , ≤ 7.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:51:37.989765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:51:53.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Backup for Microsoft Azure",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "7.1",
"status": "affected",
"version": "7.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T01:46:14.729Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4709"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-23082",
"datePublished": "2025-01-14T01:46:14.729Z",
"dateReserved": "2025-01-10T19:05:52.771Z",
"dateUpdated": "2025-01-14T15:51:53.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23114 (GCVE-0-2025-23114)
Vulnerability from cvelistv5 – Published: 2025-02-05 01:45 – Updated: 2025-03-13 18:23
VLAI
Summary
A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.veeam.com/kb4712 |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Veeam | Backup for AWS |
Affected:
7.0 , ≤ 7.0
(semver)
|
|
| Veeam | Backup for Microsoft Azure |
Affected:
6.0 , ≤ 6.0
(semver)
|
|
| Veeam | Backup for Google Cloud |
Affected:
5.0 , ≤ 5.0
(semver)
|
|
| Veeam | Backup for Nutanix AHV |
Affected:
5.1 , ≤ 5.1
(semver)
|
|
| Veeam | Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization |
Affected:
4.1 , ≤ 4.1
(semver)
|
|
| Veeam | Backup for Salesforce |
Affected:
3.1 , ≤ 3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:47:20.649153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:23:04.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Backup for AWS",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "7.0",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Microsoft Azure",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "6.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Google Cloud",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "5.0",
"status": "affected",
"version": "5.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Nutanix AHV",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "affected",
"version": "4.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Backup for Salesforce",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T01:45:03.336Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4712"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-23114",
"datePublished": "2025-02-05T01:45:03.336Z",
"dateReserved": "2025-01-11T01:00:00.617Z",
"dateUpdated": "2025-03-13T18:23:04.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23082 (GCVE-0-2025-23082)
Vulnerability from cvelistv5 – Published: 2025-01-14 01:46 – Updated: 2025-01-14 15:51
VLAI
Summary
Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.veeam.com/kb4709 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Veeam | Backup for Microsoft Azure |
Affected:
7.1 , ≤ 7.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:51:37.989765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:51:53.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Backup for Microsoft Azure",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "7.1",
"status": "affected",
"version": "7.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T01:46:14.729Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4709"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-23082",
"datePublished": "2025-01-14T01:46:14.729Z",
"dateReserved": "2025-01-10T19:05:52.771Z",
"dateUpdated": "2025-01-14T15:51:53.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}