Veeam has released fixes for a critical remote code execution vulnerability (CVE-2025-23120) affecting its enterprise Veeam Backup & Replication solution, and is urging customers to quickly upgrade to a fixed version.
There is currently no indication that the vulnerability is being leveraged by attackers. It was privately reported by researcher Piotr Bazydlo of watchTowr Labs, who followed the release of the patch with a technical write-up and pointers on how a proof-of-concept exploit for a previously discovered vulnerability (CVE-2024-40711) can be modified to exploit CVE-2025-23120.
About CVE-2025-23120
CVE-2025-23120 – which actually covers two RCE vulnerabilities based on similar deserialization gadgets – affects Veeam Backup & Replication versions 12, 12.1, 12.2, and 12.3. “Unsupported product versions are not tested, but are likely affected and should be considered vulnerable,” the company says.
The semi-good news is that the vulnerability affects only Backup & Replication servers that are joined to the organization’s Active Directory domain, and can be exploited only by authenticated domain users.
“Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration,” Rapid7 researchers noted.
They also pointed out that Veeam backup servers being accessed or exploited by attackers usually happens once an adversary has already established a foothold in the target environment.
“Imagine that any employee of your 50 000 people organization can get SYSTEM on your backup server. Kind of scary, right? Especially when you think about those threat actors that seemingly and magically appear to get shellz on your endpoints,” Bazydlo commented.
Keeping in mind that ransomware attackers usually go after backups, that Veeam Backup & Replication vulnerabilities are regularly exploited by them, and that clever attackers will know how to develop an exploit based on the available information, enterprise admins should move quickly.
“Customers should update to the latest version of the software (12.3 build 12.3.1.1139) immediately, without waiting for a regular patch cycle to occur,” Rapid7 researchers advised.




