Veeam has patched a vital distant code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software program that impacts domain-joined installations.
The flaw was disclosed yesterday and impacts Veeam Backup & Replication model 12.3.0.310 and all earlier model 12 builds. The corporate mounted it in model 12.3.1 (construct 12.3.1.1139), which was launched yesterday.
In keeping with a technical writeup by watchTowr Labs, who found the bug, CVE-2025-23120 is a deserialization vulnerability within the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET courses.
A deserialization flaw is when an utility improperly processes serialized knowledge, permitting attackers to inject malicious objects, or devices, that may execute dangerous code.
Final 12 months, whereas fixing a earlier deserialization RCE flaw found by researcher Florian Hauser. To repair the flaw, Veeam launched a blacklist of identified courses or objects that could possibly be exploited.
Nevertheless, watchTowr was capable of finding a distinct gadget chain that was not blacklisted to realize distant code execution.
“Anyway, you have most likely guessed the place that is going at the moment – it appears Veeam, regardless of being a ransomware gang’s favorite play toy – did not be taught after the lesson given by Frycos in earlier analysis revealed. You guessed it – they mounted the deserialization points by including entries to their deserialization blacklist.”
The excellent news is that the flaw solely impacts Veeam Backup & Replication installations which are joined to a website. The unhealthy information is that any area person can exploit this vulnerability, making it simply exploitable in these configurations.
Sadly, many firms have joined their Veeam server to a Home windows area, ignoring the firm’s long-standing greatest practices.
Ransomware gangs have instructed BleepingComputer previously that Veeam Backup & Replication servers are at all times targets, because it permits them a simple technique to steal knowledge and block restoration efforts by deleting backups.
This flaw would make Veeam installs much more useful because of the ease with which risk actors can breach the servers.
Whereas there are not any experiences of this flaw being exploited within the wild, watchTowr has shared sufficient technical particulars that it will not be shocking to see a proof-of-concept (PoC) launched quickly.
These firms utilizing Veeam Backup & Replication ought to make it a precedence to improve to 12.3.1 as quickly as doable.
Moreover, given ransomware gangs’ curiosity on this utility, it’s strongly suggested to evaluation Veeam’s greatest practices and disconnect the server out of your area.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend towards them.
