Veeam Backup & Replication • Re: Security Vulnerabilities in Previous Releases

Your view is absolutely correct, vast majority of vulnerabilities have been in the product forever. It's quite uncommon for a new security issue to be introduced, as the only real chance to introduce those is with a major architecture rewrite/update, which don't happen very often.

I believe this is the case with most software out there. For example, all but one critical VMware ESXi vulnerability I remember affected all ESXi versions.

Therefore, you will have best possible secure posture if you:
- Update your current version as soon as possible (ideally within 14 days of security patch availability, before exploits are built), AND
- Do not jump new major releases until they are proven and have received a few maintenance releases (so at least 6-12 months in)
Which is basically what every large enterprise customer of Veeam does.

If you stay on earlier unpatched versions, you're a very easy target for any hacker (even unskilled) because of a very mature tooling available to them to exploit well known vulnerabilities. They can just download and run them against your backup server.

Statistics: Posted by Gostev — Apr 21, 2025 6:56 pm

---