CVE-2025-23082 – Veeam Backup for Microsoft Azure is vulnerable ... (How to Fix)

Q: What is the severity of CVE-2025-23082?

CVE-2025-23082 has a CVSS score of 7.2 (HIGH). Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF), allowing unauthenticated attackers to make unauthorized requests from the system. This could enable network scanning or serve as a stepping stone for further attacks. All deployments of affected Veeam Backup for Microsoft Azure versions are at risk.

📋 TL;DR

Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF), allowing unauthenticated attackers to make unauthorized requests from the system. This could enable network scanning or serve as a stepping stone for further attacks. All deployments of affected Veeam Backup for Microsoft Azure versions are at risk.

💻 Affected Systems

Products:

Veeam Backup for Microsoft Azure

Versions: All versions prior to the fixed version specified in KB4709

Operating Systems: Windows Server (Azure VM)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects deployments where Veeam Backup for Microsoft Azure is accessible to untrusted networks.

📦 What is this software?

Backup by Veeam

View all CVEs affecting Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains internal network access, pivots to sensitive systems, exfiltrates data, or uses the compromised system to launch attacks against other internal resources.

🟠

Likely Case

Network enumeration revealing internal infrastructure, potential data exposure from internal services, and use as a proxy for other attacks.

🟢

If Mitigated

Limited to internal network reconnaissance with no critical data access if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities typically have low exploitation complexity, especially when unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Veeam KB4709 for specific fixed version

Vendor Advisory: https://www.veeam.com/kb4709

Restart Required: No

Instructions:

1. Review Veeam KB4709. 2. Download and apply the latest patch from Veeam. 3. Verify the update completes successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Veeam Backup for Microsoft Azure to trusted IPs only.

Firewall Rules

all

Implement outbound firewall rules to limit the system's ability to make requests to internal networks.

🧯 If You Can't Patch

Isolate the Veeam system from untrusted networks using firewall rules.
Implement network monitoring for unusual outbound requests from the Veeam system.

🔍 How to Verify

Check if Vulnerable:

Check the Veeam Backup for Microsoft Azure version against the affected versions listed in KB4709.

Check Version:

Check within Veeam Backup for Microsoft Azure console or refer to installation logs.

Verify Fix Applied:

Confirm the version matches or exceeds the fixed version specified in KB4709.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP/HTTPS requests from Veeam system
Requests to internal IP ranges not typically accessed

Network Indicators:

Unexpected traffic from Veeam system to internal services
Port scanning originating from Veeam system

SIEM Query:

source_ip="VEEAM_SYSTEM_IP" AND (dest_ip=INTERNAL_SUBNET OR dest_port=SCAN_PORTS)

📊 Metadata

CVE ID: CVE-2025-23082

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

EPSS Score: 0.18% exploit probability (38.9th percentile)

Published: January 14, 2025

Last Updated: November 18, 2025

🔗 References

https://www.veeam.com/kb4709 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23082, you might also want to check these: