A critical remote code execution (RCE) vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication (VBR). This flaw allows authenticated domain users to execute arbitrary code on the affected system. The vulnerability has been assigned a CVSS v3.1 score of 9.9, indicating its critical severity.
The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. Notably, unsupported product versions have not been tested but are likely affected and should be considered vulnerable.
Successful exploitation of this vulnerability could allow attackers to execute arbitrary code, access sensitive information, or perform unauthorized actions on the affected device.
The issue stems from improper handling of deserialization within VBR. Specifically, Veeam implemented a blacklist-based approach to restrict certain classes during deserialization. However, this method is inherently flawed, as it requires continuous updates to account for new potential threats. Attackers can exploit this weakness to bypass restrictions and execute arbitrary code on the system
Moreover, the vulnerability is easily exploitable by authenticated Domain Users who can access the deserialization sink without needing to be part of privileged groups. This makes it especially dangerous in typical Active Directory-integrated environments.
Staying informed about such vulnerabilities and promptly applying security measures is crucial to protect your organisation's backup infrastructure from potential threats.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.