Julian Tuin@Arctic Wolf
//
A critical vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication software. This flaw allows authenticated domain users to execute remote code, potentially leading to the compromise of enterprise backup infrastructures. The vulnerability affects versions 12, 12.1, 12.2, and 12.3 of Veeam Backup & Replication and has been assigned a CVSS score of 9.9, indicating a critical severity. The issue was reported by Piotr Bazydlo of watchTowr and highlights the importance of community engagement in addressing security issues.
Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139), and users are strongly urged to apply the patch immediately. The vulnerability specifically impacts domain-joined backup servers, which goes against Security & Compliance Best Practices. It is imperative for organizations to prioritize updates to ensure their systems remain secure. The company also emphasizes its commitment to customer security through a Vulnerability Disclosure Program and rigorous internal code audits.
Recommended read:
References :
- gbhackers.com: Critical Veeam Backup & Replication Vulnerability Allows Remote Execution of Malicious Code
- securityonline.info: CVE-2025-23120 (CVSS 9.9): Critical RCE Vulnerability Discovered in Veeam Backup & Replication
- Help Net Security: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)
- www.redhotcyber.com: Vulnerabilità critica da 9.9 di Score in Veeam Backup & Replication che consente RCE
- borncity.com: Warning for users of Veeam Backup & Replication. Vendor Veeam has informed it's customers on March 19, 2025 about a Remote Code Execution (RCE) vulnerability CVE-2025-23120 in various versions of the mentioned product. It can be abused in domain joined
- Vulnerability-Lookup: You can now share your thoughts on vulnerability CVE-2025-23120 in Vulnerability-Lookup: Veeam - Backup and Recovery
- Rescana: Urgent Alert: CVE-2025-23120 Vulnerability in Veeam Backup & Replication Risks RCE Exploitation
- The DefendOps Diaries: Understanding and Mitigating the CVE-2025-23120 Vulnerability in Veeam Backup & Replication
- Security Affairs: Veeam fixed critical Backup & Replication flaw CVE-2025-23120
- socradar.io: Critical Veeam Vulnerability (CVE-2025-23120) Enables Remote Code Execution by Domain Users
- Arctic Wolf: CVE-2025-23120: Critical Remote Code Execution Vulnerability in Veeam Backup & Replication
- Blog: Another critical deserialization flaw found in Veeam backup
- www.bleepingcomputer.com: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
- Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read. Summary This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.
- MSSP feed for Latest: Veeam patches critical Backup & Replication flaw CVE-2025-23120
- www.techradar.com: Researchers criticize the way Veeam handled deserialization flaws.
- Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
- bsky.app: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
- Security Risk Advisors: Critical RCE in #Veeam Backup & Replication (CVE-2025-23120) lets domain users run rogue code.
- research.kudelskisecurity.com: A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
- www.sentinelone.com: A newly disclosed vulnerability, tracked as CVE-2025-23120, affecting Veeam Backup & Replication, enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
- Cyber Security News: CyberPress : Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
- www.scworld.com: Veeam patches critical 9.9 flaw in backup and replication product
- www.csoonline.com: A critical remote code execution flaw patched in Veeam backup servers
- Arctic Wolf: On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software.
- Help Net Security: Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware
@www.helpnetsecurity.com
//
End-of-life Zyxel routers are under active attack via CVE-2024-40891, a command injection vulnerability, and the company has confirmed that no patches will be released. The affected models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. Zyxel is advising users to replace these devices and those who obtained their Zyxel product through an internet service provider (ISP), to contact the ISP for support. Despite being EOL, approximately 1,500 affected systems with internet-facing Telnet interfaces remain in use worldwide.
Meanwhile, a security vulnerability, CVE-2025-23114, has been identified in the Veeam Updater component. This vulnerability allows Man-in-the-Middle attackers to execute arbitrary code on affected servers due to a failure to properly validate TLS certificates. The Veeam Backup vulnerability impacts Veeam Backup for AWS, Veeam Backup for Google Cloud, Veeam Backup for Microsoft Azure, Veeam Backup for Nutanix AHV, Oracle Linux Virtualization Manager and Red Hat Virtualization, Veeam Backup for Salesforce. Users are advised to review Veeam's knowledge base article KB4712 for further information and mitigation steps.
Recommended read:
References :
- gbhackers.com: GBHackers' article detailing the critical Veeam backup vulnerability and RCE.
- securityonline.info: SecurityOnline's article on CVE-2025-23114, highlighting the remote code execution risk.
- socca.tech: Socca.tech's vulnerability assessment report on CVE-2025-23114.
- gbhackers.com: Veeam Backup Vulnerability Allows Attackers to Execute Arbitrary Code
- securityonline.info: CVE-2025-23114 (CVSS 9.0): Critical Veeam Backup Vulnerability Enables Remote Code Execution
- socradar.io: Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution
- : CVE-2025-23114 (9.0 critical) A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.
- www.heise.de: Veeam Backup: Code smuggling possible through MitM gap in updater Veeam Backup contains an updater that is vulnerable to man-in-the-middle attacks.
- The Hacker News: New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack
- nvd.nist.gov: The National Vulnerability Database (NVD) provides details about the vulnerability, including its severity and potential impact.
- www.veeam.com: Veeam's official knowledge base article details the vulnerability, provides guidance on mitigating the risk, and outlines recommended actions.
- www.helpnetsecurity.com: There will be no patches for EOL Zyxel routers under attack via CVE-2024-40891
@securityonline.info
//
Veeam has released a patch to address a high-risk Server-Side Request Forgery (SSRF) vulnerability in its Backup for Microsoft Azure product. This flaw, identified as CVE-2025-23082, allows attackers to send unauthorized requests from the system, potentially leading to network enumeration and other malicious activities. The vulnerability has been assigned a CVSS score of 7.2, indicating a high level of severity. The issue affects all versions of Veeam Backup for Microsoft Azure up to and including version 7.1.0.22.
The SSRF vulnerability was discovered during internal testing and highlights the risks associated with cloud-based backup solutions. An attacker could exploit this flaw to make the server perform unintended actions, gathering information about the internal network or even launching further attacks. Users are strongly advised to upgrade to version 7.1.0.59 or later, where the vulnerability has been addressed, to mitigate the potential risk of exploitation. This incident underscores the critical importance of consistent patch management and proactive security measures.
Recommended read:
References :
- gbhackers.com: GBHackers reports Veeam Azure Backup SSRF vulnerability.
- securityonline.info: SecurityOnline covers Veeam releasing a patch for High-Risk SSRF Vulnerability.
- www.veeam.com: Veeam security advisory on CVE-2025-23082
- gbhackers.com: Veeam Azure Backup Vulnerability Allows Attackers to Utilize SSRF & Send Unauthorized Requests /vulnerability
- securityonline.info: Veeam Releases Patch for High-Risk SSRF Vulnerability CVE-2025-23082 in Azure Backup Solution
Sam Bent@Sam Bent
//
CISA has issued a warning to U.S. federal agencies regarding a critical vulnerability, CVE-2024-48248, in NAKIVO's Backup & Replication software. This flaw, an absolute path traversal bug, could allow attackers to access sensitive files, potentially compromising configuration files, backups, and credentials. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Agencies are urged to apply necessary mitigations by April 9, 2025.
The vulnerability, affecting versions prior to 10.11.3.86570, was discovered by watchTowr Labs, who also published a proof-of-concept exploit. Successful exploitation could allow an unauthenticated attacker to read arbitrary files on the target host via the "/c/router" endpoint. NAKIVO addressed the issue in November 2024 with version v11.0.0.88174. CISA's directive underscores the need for federal agencies to promptly patch the flaw to secure their networks against potential data exposure.
Recommended read:
References :
- Sam Bent: CISA Urges Federal Agencies to Patch NAKIVO Backup & Replication Flaw, Raising Security Concerns
- www.bleepingcomputer.com: CISA tags NAKIVO backup flaw as actively exploited in attacks
|
|
FlagThis - #veeam