Overview of the Vulnerability

Veeam has issued a crucial patch for a severe remote code execution (RCE) vulnerability classified as CVE-2025-23120, affecting installations of its Backup & Replication software that are part of a domain. This flaw poses a significant risk, allowing domain joined users to potentially compromise backup servers.

Details of the Issue

The vulnerability was disclosed yesterday and impacts Veeam Backup & Replication version 12.3.0.310 and all earlier versions of the 12.x builds. Thankfully, Veeam has rectified this issue with the release of version 12.3.1 (build 12.3.1.1139) on the same day.

Technical Analysis

WatchTowr Labs, the firm that identified the bug, described CVE-2025-23120 as a deserialization vulnerability within two specific .NET classes: Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Deserialization flaws occur when a system incorrectly handles serialized data, allowing attackers to inject harmful objects capable of executing malicious code.

Previous Vulnerabilities

In a previous update, Veeam addressed an earlier deserialization RCE vulnerability found by researcher Florian Hauser, implementing a blacklist to mitigate known exploitable classes. However, WatchTowr has demonstrated that a different gadget chain—unlisted on the original blacklist—could still enable an attacker to execute harmful commands remotely.

Implications for Organizations

The implications are significant, especially since many organizations have integrated their Veeam servers within a Windows domain context, a practice that runs counter to Veeam's long-standing security recommendations. Ransomware groups have long targeted Veeam Backup & Replication servers, utilizing these vulnerabilities to steal sensitive data and obstruct recovery efforts by deleting backups.

Increased Threat Landscape

This specific flaw enhances the attractiveness of Veeam installations as targets because of the ease with which hackers can breach the servers. Although there have been no confirmed reports of exploitation in the wild thus far, the detailed technical information made available by WatchTowr might lead to the swift development of a proof of concept (PoC) exploit.

Recommended Actions

For businesses relying on Veeam Backup & Replication, it is imperative to upgrade to version 12.3.1 without delay to protect against potential exploitation. Moreover, due to the increased threat posed by ransomware gangs interested in this software, it is highly advisable to reassess security configurations and consider disconnecting Veeam servers from operational domains.

Conclusion

Don't wait for an attack to occur—take action now to secure your data and systems!