Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
JeroenL
Enthusiast
Posts: 25
Liked: 15 times
Joined: Feb 03, 2020 2:20 pm
Full Name: Jeroen Leeflang
Contact:

CVE-2025-48982: How "easy" is this to exploit?

Post by JeroenL »

Hello,

I am looking into CVE-2025-48982 and try to understand the way this vulnerability works.

To me it seems like this:
Someone with bad intentions had to compromise base security and gain access to a resouce protected by Veeam Agent for Windows.
The "hacker" needs to place a malicious file on this server and needs to wait until it is backedup.
Then the hacker needs to contact the backup administrator and kindly ask him/her to restore the malicious file.

From here things get unclear. Does this file magically gets executed as soon as it is processed by Veeam Agent for Windows? Does this file needs to be restored to a specific location where it can be executed with increased permissions? Does it replace an other system file? What makes this file so special that it needs Veeam to patch the Agent for Windows?

How "complex" is it to exploit this vulnerabilty? Please provide some more info for us to make our own choice regarding the importance of this vulnerability.
Dima P.
Product Manager
Posts: 14934
Liked: 1825 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Dima P. »

Hello Jeroen,

I'd recommend to install the patched agent version once you have a next maitenece window. Regarding the exloit details please get in touch with our Application Secutiry team and they will help you to get things sorted veeam.securitycompliance@veeam.com.

Thank you!
dariusz.tyka
Enthusiast
Posts: 61
Liked: 5 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by dariusz.tyka »

Hello all,

I have another question related to this CVE-2025-48982 - why it is needed to uninstall previous version of agent (working in standalone mode) and reinstall 6.3.2.1302? Why it cannot be upgraded? Are backup jobs affected by uninstall/reinstall process?
And second question - it is mentioned that private fix will also work for standalone mode but:
Please note that while the private fix can be applied to standalone deployments, the application's auto-update feature will still prompt you to install the latest build when it becomes available. Therefore, it is recommended to perform a full uninstall and reinstall.
So agent will be upgraded to version 6.3.2.1302 but the autoupdate process will prompt for update?
Gostev
Chief Product Officer
Posts: 32719
Liked: 7944 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Gostev »

This was already answered in the adjacent topic. Yes, the standalone agent UI will prompt you to upgrade normally.
dariusz.tyka
Enthusiast
Posts: 61
Liked: 5 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by dariusz.tyka »

Thank you for prompt answer Gostev. But have anothe one - I installed this private fix on standalone agent but it still shows 6.3.2.1205 version within GUI - how I can check the fix was correctly applied?
Dima P.
Product Manager
Posts: 14934
Liked: 1825 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Dima P. »

Hello Dariusz,

You can check the patch being applied via the registry, take a look here. Thank you!
dariusz.tyka
Enthusiast
Posts: 61
Liked: 5 times
Joined: Jan 21, 2019 1:38 pm
Full Name: Dariusz Tyka
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by dariusz.tyka » 1 person likes this post

Thank you Dima.
azpets
Enthusiast
Posts: 30
Liked: 7 times
Joined: Dec 05, 2020 4:08 pm
Full Name: A.Z. SRL
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by azpets »

Gostev wrote: Oct 15, 2025 10:13 am Yes, the standalone agent UI will prompt you to upgrade normally.
According to my experience, this is not happening.

Downloaded the file, standalone agent won't allow upgrade from that file, requesting removal and reinstall.
Moreover, using

Code: Select all

winget
tool provided from microsoft, the exit code for failed update is 1002, while computer rebooted before the command

Code: Select all

winget update Veeam.VeeamAgent
which is found to be updated from 6.3.2.1205 to 6.3.2.1302.

Available for test if needed.
Gostev
Chief Product Officer
Posts: 32719
Liked: 7944 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Gostev »

I was referring to the message box from check for updates functionality in the standalone agent UI.
azpets
Enthusiast
Posts: 30
Liked: 7 times
Joined: Dec 05, 2020 4:08 pm
Full Name: A.Z. SRL
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by azpets »

So it's official than "uninstall and reinstall" or "GUI" are the only supported upgrade paths?
Gostev
Chief Product Officer
Posts: 32719
Liked: 7944 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Gostev »

Yes, just as said message box explains, you must uninstall the existing agent.
azpets
Enthusiast
Posts: 30
Liked: 7 times
Joined: Dec 05, 2020 4:08 pm
Full Name: A.Z. SRL
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by azpets »

I think all the infrastructure will wait the next release.
Gostev
Chief Product Officer
Posts: 32719
Liked: 7944 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: CVE-2025-48982: How "easy" is this to exploit?

Post by Gostev »

If you have a serious infrastructure then you should not be using standalone agents in the first place, only agents managed by VBR. Standalone agents are designed for home users as a free offering, they were never meant to be used for protecting "infrastructures".
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests