Veeam has patched a vital distant code execution vulnerability tracked as CVE-2025-23120 in itsĀ Backup & Replication software program that impacts domain-joined installations.
The flaw was disclosed yesterday and impacts Veeam Backup & Replication model 12.3.0.310 and all earlier model 12 builds. The corporate fastened it in modelĀ 12.3.1 (construct 12.3.1.1139), which was launched yesterday.
In keeping with a technical writeup byĀ watchTowr Labs, who found the bug, CVE-2025-23120 is a deserialization vulnerability within theĀ Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET courses.
A deserialization flaw is when an utility improperly processes serialized knowledge, permitting attackers to inject malicious objects, or devices,Ā that may execute dangerous code.
Final 12 months, whereas fixing a earlierĀ deserialization RCE flaw found by researcherĀ Florian Hauser. To repair the flaw, Veeam launched a blacklist of identifiedĀ courses or objects that might be exploited.
Nonetheless,Ā watchTowr was capable of finding a distinct gadget chain that was not blacklisted to realize distant code execution.
“Anyway, you have most likely guessed the place that is going at this time – it appears Veeam, regardless of being a ransomware gang’s favorite play toy – did not study after the lesson given byĀ Frycos in earlier analysis printed. You guessed it – they fastened the deserialization points by including entries to their deserialization blacklist.”
The excellent news is that theĀ flaw solely impacts VeeamĀ Backup & Replication installations which are joined to a website. The dangerous information is that any area personĀ can exploit this vulnerability, making it simply exploitable in these configurations.
Sadly, many firms have joined theirĀ Veeam server to a Home windows area, ignoring theĀ firm’s long-standing greatest practices.
Ransomware gangs have informed BleepingComputer previously that Veeam Backup & Replication servers are all the time targets, because it permits them a straightforward strategy to steal knowledge and block restoration efforts by deleting backups.
This flaw would make Veeam installs much more beneficial because of the ease with which menace actors can breach the servers.
Whereas there are not any reviews of this flaw being exploited within the wild, watchTowr has shared sufficient technical particulars that it will not be shocking to see a proof-of-concept (PoC) launched quickly.
These firms utilizing Veeam Backup & Replication ought to make it a precedence to improve to 12.3.1 as quickly as doable.
Moreover, given ransomware gangs’ curiosity on this utility, it’s strongly suggested to assessment Veeam’s greatest practices and disconnect the server out of your area.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
