Threat Insight

Critical Vulnerability CVE-2025-23120 in Veeam Backup & Replication Enables Remote Code Execution

A critical vulnerability in Veeam Backup & Replication allows authenticated users to compromise the backup server.

If your backup server is joined to AD (which is not recommended), any domain user would be able to exploit this vulnerability and compromise the backup server, unless you have implemented other hardening measures.

  • Insight

Technical Details

Veeam Backup & Replication exposes the .NET Remoting Channel, which allows you to reach some internal deserialization capabilities based on the .NET BinaryFormatter. The deserialization process is based on a blacklist, which means that an attacker could deserialize anything as long as they use a whitelisted deserialization gadget which allows an authenticated domain user to perform remote code execution[1].

CVE

CVE-2025-23120

Affected Products

Veeam Backup & Replication versions before 12.3.0.310 [2]

Exploitation

No exploitation has been observed.

Truesec recommends that you immediately patch to Veeam Backup & Replication version 12.3.1[2]. For existing deployments of Veeam Backup & Replication 12.3 (build 12.3.0.310), a hotfix to resolve this vulnerability has been developed and is intended for customers who cannot immediately update to version 12.3.1[2]. The hotfix can be found here, under “More Information”: https://www.veeam.com/kb4724

References

[1] https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/
[2] https://www.veeam.com/kb4724