Okay, so Tomcat's a bust, but this sucker (CVE-2025-23120) could get interesting if the technical reality matches the advisory severity.
It still throws me how many incidents Rapid7 MDR sees that include abuse of Veeam Backup & Replication in some manner — the deployment footprint of this product is always surprising to me, maybe because it's not usually internet-exposed, dunno. Anywho, domain-joined backup servers might be "against best practices," but that doesn't mean it's uncommon 🤷♀️ Thx to @fuzz for being on top of it as usual!