Veeam RCE Bug Lets Domain Users Hack Backup Servers, Patch Now

A critical remote code execution (RCE) vulnerability has been discovered in Veeam Backup & Replication software, which allows domain-joined installations to be exploited by any domain user. The flaw, tracked as CVE-2025-23120, has been patched by Veeam in version 12.3.1, and users are advised to upgrade as soon as possible.

The Flaw: A Deserialization Vulnerability

The vulnerability is a deserialization issue in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes. According to watchTowr Labs, who discovered the bug, this type of flaw allows attackers to inject malicious objects that can execute harmful code.

Previous Lessons Learned

Last year, a similar deserialization RCE flaw was fixed by Veeam after being discovered by researcher Florian Hauser. However, watchTowr was able to find a different gadget chain that was not blacklisted to achieve remote code execution. It appears that Veeam did not learn from this previous lesson and instead patched the issue by adding entries to their deserialization blacklist.

Impact on Domain-Joined Installations

The flaw only affects Veeam Backup & Replication installations that are joined to a domain. This means that any domain user can exploit this vulnerability, making it easily exploitable in those configurations.

A Concern for Companies with Windows Domains

Many companies have joined their Veeam servers to a Windows domain, ignoring the company's long-standing best practices. Ransomware gangs have told BleepingComputer in the past that Veeam Backup & Replication servers are always targets, as it allows them an easy way to steal data and block restoration efforts by deleting backups.

A Flaw That Could Make Your Data Even More Valuable

This flaw would make Veeam installs even more valuable due to the ease with which threat actors can breach the servers. While there are no reports of this flaw being exploited in the wild, watchTowr has shared enough technical details that it would not be surprising to see a proof-of-concept (PoC) released soon.

What You Can Do

To protect yourself and your company from this vulnerability:

* Upgrade to Veeam Backup & Replication version 12.3.1 as soon as possible. * Review Veeam's best practices and disconnect the server from your domain. * Consider reviewing your security posture in general.

Top 10 MITRE ATT&CK Techniques Behind 93% of Attacks

An analysis of 14M malicious actions has revealed that these top 10 MITRE ATT&CK techniques behind 93% of attacks are:

1. T1210 - Exploitation for Execution/Privilege Escalation 2. A7:Data Exfiltration 3. A12:Privilege Misuse 4. A13: Privilege Escalation 5. T1105 - Lateral Movement 6. T1203 - Data Destruction 7. A3:Privilege Escalation 8. A14:Data Ingestion and Reporting 9. T1210- Exploitation for Execution/Privilege Escalation 10. T1222 - Exploitation of Other Software