A critical remote code execution (RCE) vulnerability has been identified in the Mount service of Veeam Backup & Replication. This flaw allows an attacker with the credentials of any standard domain user to take complete control of the backup infrastructure servers. Successful exploitation could lead to the theft or destruction of all company backups, rendering disaster recovery impossible and exposing the organization to significant operational disruption and potential ransomware attacks.

This vulnerability exists within the Mount service component of Veeam Backup & Replication. An authenticated, low-privileged domain user can send a specially crafted request to the Mount service on a backup host. Due to improper input validation or a flaw in the service's logic, this request is processed in a way that allows the attacker to execute arbitrary code on the target system with high privileges, typically at the SYSTEM level.

This vulnerability is rated as critical severity with a CVSS score of 9.9. The business impact of a successful exploit is severe. An attacker could compromise the entire backup infrastructure, leading to the exfiltration of sensitive data contained within backups, the deletion or encryption (ransomware) of all backup data, and the complete loss of business continuity and disaster recovery capabilities. A compromised backup server can also be used as a highly privileged pivot point to launch further attacks across the corporate network, significantly escalating the scope of a security incident.

Immediate Action: Immediately update all instances of Veeam Backup & Replication to the latest patched version as recommended by the vendor. Prioritize patching systems that are part of the core backup infrastructure. After patching, review access logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Implement enhanced monitoring on Veeam backup hosts. Scrutinize logs for unexpected or anomalous connections to the Mount service, particularly from non-administrative workstations. Monitor for unusual processes being spawned by the Veeam service accounts and use endpoint detection and response (EDR) tools to alert on suspicious command-line activity on these critical servers.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to strictly limit access to the Veeam Mount service ports (e.g., TCP 9401) from only authorized management servers. Enforce the principle of least privilege, ensuring standard user accounts cannot interact with backup server services. Implement multi-factor authentication (MFA) for all administrative access to the backup infrastructure.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) and the profound impact on business resilience, this vulnerability represents an immediate and unacceptable risk. The ability for any authenticated domain user to achieve remote code execution on backup servers makes exploitation highly probable. Although this CVE is not yet on the CISA KEV list, it should be treated with the highest priority. We strongly recommend that all organizations apply the vendor-supplied patches to affected Veeam products immediately without delay.