CVE-2025-55125 – This vulnerability allows authenticated Backup ... (How to Fix)

Q: What is the severity of CVE-2025-55125?

CVE-2025-55125 has a CVSS score of 7.8 (HIGH). This vulnerability allows authenticated Backup or Tape Operators to execute arbitrary code with root privileges by creating a malicious backup configuration file. It affects Veeam Backup & Replication installations where these operators have configuration access. The attacker must already have valid operator credentials to exploit this vulnerability.

📋 TL;DR

This vulnerability allows authenticated Backup or Tape Operators to execute arbitrary code with root privileges by creating a malicious backup configuration file. It affects Veeam Backup & Replication installations where these operators have configuration access. The attacker must already have valid operator credentials to exploit this vulnerability.

💻 Affected Systems

Products:

Veeam Backup & Replication

Versions: Versions prior to the fix in KB4792

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Backup Operator or Tape Operator role with configuration permissions.

📦 What is this software?

Veeam Backup \& Replication by Veeam

View all CVEs affecting Veeam Backup \& Replication →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the backup server, data exfiltration, and lateral movement to other systems.

🟠

Likely Case

Privilege escalation from Backup/Tape Operator to root, enabling data theft, backup manipulation, and persistence on the system.

🟢

If Mitigated

Limited impact if proper access controls restrict configuration file creation to trusted administrators only.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access to the backup management interface.

🏢 Internal Only: HIGH - Backup/Tape Operators with legitimate access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access as Backup/Tape Operator and knowledge of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version specified in Veeam KB4792

Vendor Advisory: https://www.veeam.com/kb4792

Restart Required: Yes

Instructions:

1. Download the patch from Veeam KB4792. 2. Stop all backup jobs. 3. Install the patch. 4. Restart the Veeam Backup Service. 5. Verify installation and restart backup jobs.

🔧 Temporary Workarounds

Restrict Configuration Permissions

windows

Limit backup configuration file creation to trusted administrators only, removing these permissions from Backup/Tape Operators.

Use Veeam console: Navigate to Users and Roles, modify role permissions to remove configuration file creation rights

🧯 If You Can't Patch

Implement strict access controls to limit Backup/Tape Operator permissions to only essential functions
Monitor for suspicious configuration file creation activities and audit operator actions regularly

🔍 How to Verify

Check if Vulnerable:

Check Veeam Backup & Replication version against the patched version in KB4792

Check Version:

In Veeam console: Help > About or check installed programs in Windows

Verify Fix Applied:

Verify the installed version matches or exceeds the patched version from KB4792

📡 Detection & Monitoring

Log Indicators:

Unusual backup configuration file creation by Backup/Tape Operators
Suspicious process execution from backup service context

Network Indicators:

Unusual outbound connections from backup server following configuration changes

SIEM Query:

source="veeam_logs" AND (event="configuration_created" OR event="process_execution") AND user_role="backup_operator"

📊 Metadata

CVE ID: CVE-2025-55125

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.21% exploit probability (43.8th percentile)

Published: January 8, 2026

Last Updated: January 12, 2026

🔗 References

https://www.veeam.com/kb4792 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55125, you might also want to check these: