NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2025-23120 Veeam Backup and Replication RCE

Apr 16, 2025
Related
Just in Time
Just in Time Bulletin: CVE-2024-0012 and CVE-2024-9474 Palo Alto Unauthenticated Remote Command Execution
Just in Time
Just in Time Bulletin: CVE-2024-24919 Check Point Security Gateway Information Disclosure
Just in Time
Just in Time Bulletin: CVE-2024-3094 XZ/liblzma Backdoor
Just in Time
Just in Time Bulletin: CVE-2024-6387 regreSSHion Unauthenticated Remote Command Execution

What are CVE-2025-23120? 

 

The team at watchTower has identified a critical remote command execution vulnerability that impacts Veeam Back and Replication. Veeam is a popular enterprise backup and recovery platform that is often (basically always) deployed in active directory environments. The very nature of backup solutions requires Veeam services to run with privileged access. This gives Veeam a triple crown of popularity, connectivity, and elevated access while, crucially, also managing backups. This makes Veeam Backup a very desirable side quest to target in ransomware attacks. 

The vulnerability, identified as CVE-2025-23120, is the spiritual and technical continuation of a deserialization vulnerability that Veeam “patched” in a previous release (CVE-2024-40711). I highly recommend everyone reading this checkout both write ups. It’s a great demonstration of tenacious research and bug hunting. In the case of both vulnerabilities, the moral of the exploitation journey is to never trust a blacklist. Rather than address the vulnerabilities with a whitelist approach, Veeam expanded upon the list of blacklisted classes for derserialization, which (to great surprise) failed to blacklist all abusable classes. Savvy attackers can generate deserialization gadgets living off the bounty of the whitelisted classes. 

Exploitation requires authenticated access, however this includes any authenticated domain user of any privilege level. Successful exploitation results in a SYSTEM shell on a high value target. Yikes. Patch ASAP.

How bad is this? 

 

 

CVE CVSSv3 Score
CVE-2025-23120 8.8

 

 

Severity: Critical

  • Local or domain credentials are required
  • Leverages publicly known .NET deserialization gadgets
  • Complex exploitation

 

Who is affected by this?

Product Affected From Affected To
Veeam Backup and Replication 12.0.0.1402 12.3.1.1139

How is it exploited? 

This vulnerability is exploitable remotely by an attacker authenticated to a local or domain user group.

How do I protect myself? 

This vulnerability can be mitigated by upgrading to Veeam Backup & Replication 12.3.1.

Mitigating factors? 

Veeam is not exposed to external nodes, which mitigates exploitation by external threat actors.

Additional Resources: