Veeam Backup and Replication Remote Code Execution Vulnerability (CVE-2025-23120)

Posted by Author Diksha Ojha on Posted on

Veeam addressed a vulnerability impacting its Backup & Replication. Tacked as CVE-2025-23120, the vulnerability has a critical severity rating with a CVSS score of 9.9. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code, leading to critical data loss and possible system compromise. Piotr Bazydlo of watchTowr discovered and reported the vulnerability to Veeam.

Veeam Backup & Replication is one of the industry-leading backup, recovery, and data security solutions for all workloads, both on-premises and in the cloud. The software provides secure, robust, and reliable data protection. With a software-defined, hardware-independent solution, the software can eliminate downtime with instant recovery, protect from cyber threats with native immutability, and use validated backups.

Vulnerability and Exploitation Details

A security researcher at watchTowr Labs published an article describing the remote code execution vulnerability impacting Veeam Backup & Replication. The vulnerability originates from the use of blacklist-based security mechanisms during deserialization processes. A deserialization flaw originates when an application improperly processes serialized data, allowing attackers to inject malicious objects that can execute harmful code.

The deserialization flaw exists in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes. The vulnerability may allow any user within the local users’ group on the Windows host running Veeam Backup & Replication to execute arbitrary code. Any domain user could exploit the vulnerability if the server is part of a domain.

Affected Versions

The vulnerability affects Veeam Backup and Replication 12.3.0.310 and all earlier version 12 builds.

Mitigation

Customers must upgrade to Veeam Backup & Replication 12.3.1 (build 12.3.1.1139) to patch the vulnerability.

Please refer to the Veeam Security Advisory (KB4724) for more information.

Qualys Detection

Qualys customers can scan their devices with QID 382965 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.veeam.com/kb4724
https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

Leave a Reply

Your email address will not be published. Required fields are marked *