Critical Veeam Vulnerability (CVE-2025-24201) Allows Code Execution via Deserialization

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication (VBR). This flaw allows authenticated domain users to execute arbitrary code on the affected system. The vulnerability has been assigned a CVSS v3.1 score of 9.9, indicating its critical severity.

Affected versions

The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. Notably, unsupported product versions have not been tested but are likely affected and should be considered vulnerable.

What is the impact?

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code, access sensitive information, or perform unauthorized actions on the affected device.

Details

The issue stems from improper handling of deserialization within VBR. Specifically, Veeam implemented a blacklist-based approach to restrict certain classes during deserialization. However, this method is inherently flawed, as it requires continuous updates to account for new potential threats. Attackers can exploit this weakness to bypass restrictions and execute arbitrary code on the system

Moreover, the vulnerability is easily exploitable by authenticated Domain Users who can access the deserialization sink without needing to be part of privileged groups. This makes it especially dangerous in typical Active Directory-integrated environments.

Mitigation

Apply Patches: Veeam has addressed this vulnerability in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139). Users are strongly advised to update to this version promptly.

Hotfix Availability: For deployments currently running Veeam Backup & Replication 12.3 (build 12.3.0.310), a hotfix has been developed for customers who cannot immediately update to version 12.3.1.

Limit Access: Restrict access to the Veeam Backup & Replication server to trusted users only, minimizing the risk of exploitation by unauthorized individuals.

Network Segmentation: Implement network segmentation to isolate critical backup infrastructure from general network traffic, reducing potential attack vectors.

Staying informed about such vulnerabilities and promptly applying security measures is crucial to protect your organisation's backup infrastructure from potential threats.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.