Veeam RCE bug lets domain users hack backup servers, patch now

Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.

The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.

According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025-23120 is a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes.

A deserialization flaw is when an application improperly processes serialized data, allowing attackers to inject malicious objects, or gadgets, that can execute harmful code.

Last year, while fixing a previous deserialization RCE flaw discovered by researcher Florian Hauser. To fix the flaw, Veeam introduced a blacklist of known classes or objects that could be exploited.

However, watchTowr was able to find a different gadget chain that was not blacklisted to achieve remote code execution.

“Anyway, you’ve probably guessed where this is going today – it seems Veeam, despite being a ransomware gang’s favourite play toy – didn’t learn after the lesson given by Frycos in previous research published. You guessed it – they fixed the deserialization issues by adding entries to their deserialization blacklist.”

The good news is that the flaw only impacts Veeam Backup & Replication installations that are joined to a domain. The bad news is that any domain user can exploit this vulnerability, making it easily exploitable in those configurations.

Unfortunately, many companies have joined their Veeam server to a Windows domain, ignoring the company’s long-standing best practices.

Ransomware gangs have told BleepingComputer in the past that Veeam Backup & Replication servers are always targets, as it allows them an easy way to steal data and block restoration efforts by deleting backups.

This flaw would make Veeam installs even more valuable due to the ease with which threat actors can breach the servers.

While there are no reports of this flaw being exploited in the wild, watchTowr has shared enough technical details that it would not be surprising to see a proof-of-concept (PoC) released soon.

Those companies using Veeam Backup & Replication should make it a priority to upgrade to 12.3.1 as soon as possible.

Furthermore, given ransomware gangs’ interest in this application, it is strongly advised to review Veeam’s best practices and disconnect the server from your domain.