Veeam RCE bug lets domain users hack backup servers tracked as CVE-2025-23120

- Veeam has fixed a serious remote code execution vulnerability known as CVE-2025-23120 in its Backup & Replication software, affecting domain-joined installations. This flaw was reported recently and impacts Veeam Backup & Replication version 12.3.0.310 and earlier versions. The company released a patch in version 12.3.1 (build 12.3.1.1139) to address this issue. - According to research from watchTowr Labs, which detected the vulnerability, CVE-2025-23120 is a deserialization flaw in specific .NET classes. A deserialization flaw arises when an application improperly handles serialized data, enabling attackers to insert harmful objects, or gadgets, that can run malicious code. - Despite previous efforts by Veeam to secure its software against deserialization vulnerabilities, watchTowr found a new exploit that could be used for remote code execution. The vulnerability mainly affects Veeam installations connected to a domain, and any domain user can exploit it, making it highly dangerous in these setups. Many organizations have linked their Veeam servers to a Windows domain, ignoring the company's security guidelines. - Ransomware groups have previously targeted Veeam Backup & Replication servers, exploiting them to steal data and hinder recovery by removing backups. Although there's no evidence of active exploitation, detailed information shared by watchTowr suggests that a proof-of-concept may emerge soon. Companies using Veeam Backup & Replication should prioritize upgrading to 12.3.1 and review security measures, including disconnecting the server from their domain.