Veeam Fixed Critical Backup & Replication Flaw CVE-2025-23120

Rejoice, users of Veeam's Backup & Replication software! The company has released security patches to address a critical vulnerability that could have allowed attackers to remotely execute code. The patch addresses a flaw tracked as CVE-2025-23120 (CVSS score of 9.9), which impacts versions 12.3.0.310 and earlier, according to Veeam's advisory.

The vulnerability was reported by security researcher Piotr Bazydlo of watchTowr, who discovered that a flawed deserialization handling mechanism implemented by Veeam allowed attackers to bypass its blocklist and exploit missing gadgets for remote code execution. "A vulnerability allowing remote code execution (RCE) by authenticated domain users," reads the advisory published by the company.

Security researcher Piotr Bazydlo of watchTowr reported the vulnerability, crediting his colleague Sina with inspiring him to investigate the Veeam deserialization mechanism. "He insisted that I should have a look at the Veeam deserialization mechanism, and I would have never done this if not him," wrote Bazydlo.

"He has also provided me all the knowledge needed for the exploitation, thus I only needed to focus on an easy stuff – gadget discovery."

Any local user on the Veeam server or any domain user if the server is domain-joined can exploit this vulnerability. However, it's worth noting that Veeam's patch blocks the identified gadgets, but similar risks remain if new deserialization gadgets are found.

"Given the size of the Veeam codebase, we wouldn’t be surprised if other researchers now find numerous further feasible deserialization gadgets," concludes Bazydlo. "It is hard for us to be positive about this, given the criticality of the solution, combined with the well-known and trodden ground of this solution being targeted by ransomware gangs."

As always, it's essential to prioritize security and keep your software up-to-date to prevent such vulnerabilities from compromising your data.