Veeam has issued a critical security patch for its Backup & Replication software, addressing a severe remote code execution (RCE) vulnerability identified as CVE-2025-23120.
This flaw, disclosed on March 20, 2025, affects domain-joined installations of Veeam Backup & Replication version 12.3.0.310 and earlier builds, allowing authenticated domain users to execute arbitrary code remotely, which poses significant risks to enterprise environments.
The vulnerability was discovered by security researchers at watchTowr Labs and is classified with a near-maximum CVSS score of 9.9 out of 10, according to Bleeping Computer. It stems from a deserialization flaw in specific .NET classes within the software, namely Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary.
Deserialization vulnerabilities occur when applications improperly process serialized data, enabling attackers to inject malicious objects that can execute harmful code.
Despite previous efforts by Veeam to mitigate similar issues through a blacklist approach to deserialization, researchers found that a new exploit could bypass these protections by utilizing unlisted gadgets.
This oversight allows any user with domain access—often including many standard accounts—to exploit the vulnerability, potentially gaining complete control over backup servers.
While there are currently no reports of active exploitation in the wild, the detailed technical write-up from watchTowr Labs raises concerns that proof-of-concept exploits may soon emerge.
“While we would enjoy a world in which we could be a little merciful – today we’ll explore the painful world of blacklist-based security mechanisms. You can treat this post as a natural continuation of our CVE-2024-40711 writeup, which was written by fellow watchTowr Labs team member Sina Kheirkhah (@SinSinology),” watchTowr researchers said in their technical write-up.
“Our previous watchTowr Labs post provided a detailed walk-through of a Remote Code Execution vulnerability RCE issue in Veeam Backup & Replication, achievable from an unauthenticated perspective. This vulnerability was discovered and responsibly disclosed by one of our favourite researchers from ‘across the aisle’ – Florian Hauser (@Frycos) with Code White Gmbh – and the RCE itself was interesting with twists included.”
Given the historical targeting of Veeam Backup & Replication servers by ransomware groups, organizations are urged to prioritize upgrading to version 12.3.1 (build 12.3.1.1139), which contains the necessary fixes.
Veeam has advised against joining backup servers to Windows domains due to security risks; however, many companies continue this practice, increasing their vulnerability to attacks.
Experts recommend that organizations not only update their software immediately but also review and adhere to Veeam’s best practices, including considering disconnecting backup servers from their domains to enhance security.
“Veeam is committed to ensuring its products protect customers from potential risks,” Veeam says.
“When a vulnerability is identified, our team promptly develops a patch to address and mitigate the risk. In line with our dedication to transparency, we publicly disclose the vulnerability and provide detailed mitigation information. This approach ensures that all potentially affected customers can quickly implement the necessary measures to safeguard their systems.”
“It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”
You must be logged in to post a comment.