Veeam 12.3.2 released: critical vulnerability

June 17, 2025 (Last Modified: June 17, 2025)

Veeam 12.3.2 released: critical vulnerability

As we know, best practices advise against placing Veeam servers inside a production Active Directory domain: it’s better to keep them outside the domain or in a separate, dedicated one.

In any case, if your server (or a customer’s server) is domain-joined, it’s important to update it promptly, as *the severity score of this vulnerability is “only” *9.9.

KB4743: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2 Veeam Support Knowledge Base answer to: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2www.veeam.com

P.S.: some issues are resolved:

Resolved Issues

Malware Detection

Marking malware events as clean fails with a conversion error when the Microsoft SQL Server hosting the configuration database uses the German (DE) locale.

VMware vSphere

In rare circumstances, application-aware image processing may hang during the guest components installation.

Preferred CDP proxy selection in the CDP policy wizard is not respected.

CDP replica VMs may hang during the commit failback operation.

NAS Backup

Certain sequence of events may result in the NAS backup getting in a state where the retention policy may no longer be applied, with the “Removing non-empty container” operation failing

NAS backup jobs pointed to an HPE StoreOnce repository may occasionally experience execution delays up to 4 hours.

Application Item Recovery

Veeam Explorer for Active Directory: connection to a target domain controlled cannot be established if it has SSL enabled.

Veeam Explorer for Microsoft SQL Server: point-in-time recovery of CDC tables to another SQL server is not possible; Veeam Explorer should now use a mount host automatically when the staging server is unavailable.

Veeam Explorer for Oracle: in certain circumstances, the original database files may be removed when restoring to the original location with a different SID and database name.

Veeam Explorer for PostgreSQL: restoring instances to the latest state and the original location may occasionally fail; the instance restore process fails due to the inability to overwrite a data directory that contains mount points.

Object Storage

Retrieving a certificate revocation list (CRL) may fail due to some firewalls blocking non-RFC-compliant GET requests, resulting in the following error:

Certificate revocation check failed Server error 503: Service Unavailable Failed to download CRL

Background checkpoint removal process may lag behind the addition of new data due to poor deletion API calls performance on certain on-prem object storage devices, causing continuous backup accumulation. To work around this issue, these API calls will now be called concurrently instead of sequentially.

Tape

Restores from hardware-encrypted tapes fail with the following error:

Illegal Request. Invalid field in parameter list.

Slow and unresponsive user interface when browsing media pools with a large amount of tape media, and when thousands of media pools are present.

File-to-Tape jobs may fail to process shares containing large files with the following error:

Failed to Unload a Previous Scenario. Old Scenario: ScenarioType: ENasToTape (23).

Backup to Tape fails to process NetApp NFS3 share occasionally due to a race condition in the caching mechanism, with the following error:

Unable to find ObjectVersion in cache for the file.

Veeam Agent for Linux

Addressed compatibility issues with the latest Linux kernel versions, enabling out-of-the-box support for the following distributions:

Debian 12.10 and 12.11

Ubuntu 25.04

Red Hat Enterprise Linux (RHEL) 9.6 and 10.0 (both on x86 and IBM Power)

Oracle Linux 9.6

Rocky Linux 9.6 and 10.0

AlmaLinux 9.6 and 10.0