A newly discovered vulnerability in Veeam's Backup & Replication software poses a significant security risk to domain-joined installations. Identified as CVE-2025-23120, this critical remote code execution flaw has been addressed in the latest software update. Organizations using this software should prioritize upgrading to the patched version to mitigate potential threats.

Understanding the Veeam Vulnerability

The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier builds. The issue has been resolved in version 12.3.1 (build 12.3.1.1139), which was released recently. The flaw, discovered by watchTowr Labs, is a deserialization vulnerability within specific .NET classes of the software.

Technical Insights into CVE-2025-23120

Deserialization vulnerabilities occur when applications improperly handle serialized data, allowing attackers to inject malicious code. In this case, the vulnerability exists in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary classes. Although Veeam had previously implemented a blacklist to address similar issues, watchTowr Labs identified a new gadget chain that bypasses these protections.

  • Impact: The flaw is limited to domain-joined installations, making it exploitable by any domain user.
  • Risk: The vulnerability increases the attractiveness of Veeam servers to ransomware groups, as it facilitates data theft and backup deletion.

Mitigation and Best Practices

To safeguard against potential exploitation, it is crucial for organizations to upgrade to Veeam Backup & Replication version 12.3.1 immediately. Additionally, following Veeam's best practices, such as disconnecting servers from the domain, can further reduce risks.

Proactive Security Measures

While there are no known instances of this vulnerability being exploited in the wild, the detailed technical information shared by watchTowr Labs could lead to a proof-of-concept being released. Organizations should remain vigilant and ensure their systems are up-to-date.

  • Upgrade: Install version 12.3.1 to patch the vulnerability.
  • Review Configurations: Ensure servers are not unnecessarily joined to a domain.
The link has been copied!