CyberSecurity news
FlagThis
@cert.europa.eu
//
On June 17, 2025, Veeam released critical security updates for its Backup & Replication software to address several vulnerabilities, including a critical Remote Code Execution (RCE) flaw identified as CVE-2025-23121. The vulnerability, which has a CVSS score of 9.9, could allow an authenticated domain user to execute arbitrary code on affected Backup Servers, potentially leading to system compromise. This flaw impacts Veeam Backup & Replication version 12 builds, including version 12.3.1.1139. The update to version 12.3.2 (build 12.3.2.3617) resolves this critical issue and other related vulnerabilities.
Researchers at watchTowr and Code White GmbH discovered that the vulnerability, CVE-2025-23121, could bypass a previous patch released in March 2025 for vulnerability CVE-2025-23120. According to the researchers, the underlying issue stems from uncontrolled deserialization vulnerabilities in BinaryFormatter, a component that Microsoft has deprecated and deemed inherently insecure. Veeam's approach to mitigating these vulnerabilities has involved maintaining an exclusion list of gadgets that can lead to deserialization issues, however researchers suggest this approach is not sufficient.
Veeam has urged users to update to the latest patched version of Backup & Replication, specifically version 12.3.2, as soon as possible. While Veeam notes that unsupported product versions have not been tested, they are likely affected and should be considered vulnerable. The company also advises against joining backup servers to domains, although this practice is common for efficiency. Veeam recommends implementing best practices like using a separate management workgroup or domain for Veeam components to isolate them from the protected environment.
ImgSrc: cert.europa.eu
References :
Researchers at watchTowr and Code White GmbH discovered that the vulnerability, CVE-2025-23121, could bypass a previous patch released in March 2025 for vulnerability CVE-2025-23120. According to the researchers, the underlying issue stems from uncontrolled deserialization vulnerabilities in BinaryFormatter, a component that Microsoft has deprecated and deemed inherently insecure. Veeam's approach to mitigating these vulnerabilities has involved maintaining an exclusion list of gadgets that can lead to deserialization issues, however researchers suggest this approach is not sufficient.
Veeam has urged users to update to the latest patched version of Backup & Replication, specifically version 12.3.2, as soon as possible. While Veeam notes that unsupported product versions have not been tested, they are likely affected and should be considered vulnerable. The company also advises against joining backup servers to domains, although this practice is common for efficiency. Veeam recommends implementing best practices like using a separate management workgroup or domain for Veeam components to isolate them from the protected environment.
ImgSrc: cert.europa.eu
Share:
References :
- cert.europa.eu: On June 17, 2025, Veeam released an advisory addressing several vulnerabilities in Veeam Backup & Replication, one of which is rated as critical. It is recommended updating as soon as possible.
- research.kudelskisecurity.com: On June 1 7, data resilience vendor Veeam released security updates to fix three vulnerabilities: one critical severity RCE and one high severity ACE
- The Register - Security: Veeam patches third critical RCE bug in Backup & Replication in space of a year
- securityaffairs.com: Veeam addressed a new critical flaw in Backup & Replication product that could potentially result in remote code execution.
- www.cybersecuritydive.com: Researchers urge vigilance as Veeam releases patch to address critical flaw
- Security Risk Advisors: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2
- research.kudelskisecurity.com: Veeam Backup & Replication: Critical RCE Patched
- www.veeam.com: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2 . CVE-2025-23121 & CVE-2025-24286 & CVE-2025-24287 The post appeared first on .
Classification:
- HashTags: #Veeam #RCE #Vulnerability
- Company: Veeam
- Target: Veeam Backup & Replication Users
- Product: Veeam Backup & Replication
- Feature: Backup & Replication
- Type: Vulnerability
- Severity: Critical