FlagThis

A critical vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication software. This flaw allows authenticated domain users to execute remote code, potentially leading to the compromise of enterprise backup infrastructures. The vulnerability affects versions 12, 12.1, 12.2, and 12.3 of Veeam Backup & Replication and has been assigned a CVSS score of 9.9, indicating a critical severity. The issue was reported by Piotr Bazydlo of watchTowr and highlights the importance of community engagement in addressing security issues.

Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139), and users are strongly urged to apply the patch immediately. The vulnerability specifically impacts domain-joined backup servers, which goes against Security & Compliance Best Practices. It is imperative for organizations to prioritize updates to ensure their systems remain secure. The company also emphasizes its commitment to customer security through a Vulnerability Disclosure Program and rigorous internal code audits.

ImgSrc: arcticwolf.com

References :

• gbhackers.com: Critical Veeam Backup & Replication Vulnerability Allows Remote Execution of Malicious Code
• securityonline.info: CVE-2025-23120 (CVSS 9.9): Critical RCE Vulnerability Discovered in Veeam Backup & Replication
• Help Net Security: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)
• www.redhotcyber.com: Vulnerabilità critica da 9.9 di Score in Veeam Backup & Replication che consente RCE
• borncity.com: Warning for users of Veeam Backup & Replication. Vendor Veeam has informed it's customers on March 19, 2025 about a Remote Code Execution (RCE) vulnerability CVE-2025-23120 in various versions of the mentioned product. It can be abused in domain joined
• Vulnerability-Lookup: You can now share your thoughts on vulnerability CVE-2025-23120 in Vulnerability-Lookup: Veeam - Backup and Recovery
• Rescana: Urgent Alert: CVE-2025-23120 Vulnerability in Veeam Backup & Replication Risks RCE Exploitation
• The DefendOps Diaries: Understanding and Mitigating the CVE-2025-23120 Vulnerability in Veeam Backup & Replication
• Security Affairs: Veeam fixed critical Backup & Replication flaw CVE-2025-23120
• socradar.io: Critical Veeam Vulnerability (CVE-2025-23120) Enables Remote Code Execution by Domain Users
• Arctic Wolf: CVE-2025-23120: Critical Remote Code Execution Vulnerability in Veeam Backup & Replication
• Blog: Another critical deserialization flaw found in Veeam backup
• www.bleepingcomputer.com: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
• Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read. Summary This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.
• MSSP feed for Latest: Veeam patches critical Backup & Replication flaw CVE-2025-23120
• www.techradar.com: Researchers criticize the way Veeam handled deserialization flaws.
• Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
• bsky.app: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
• Security Risk Advisors: Critical RCE in #Veeam Backup & Replication (CVE-2025-23120) lets domain users run rogue code.
• research.kudelskisecurity.com: A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
• www.sentinelone.com: A newly disclosed vulnerability, tracked as CVE-2025-23120, affecting Veeam Backup & Replication, enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
• Cyber Security News: CyberPress : Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
• www.scworld.com: Veeam patches critical 9.9 flaw in backup and replication product
• : A critical remote code execution flaw patched in Veeam backup servers
• Arctic Wolf: On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software.
• Help Net Security: Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware

Classification:

• HashTags: #RCE #Veeam #BackupSecurity
• Company: Veeam
• Target: Enterprises
• Product: Veeam Backup & Replication
• Feature: Remote Code Execution
• Type: Vulnerability
• Severity: Critical