Veeam RCE Vulnerability Allows Domain Users to Hack Backup Servers

Researchers uncovered critical Remote Code Execution (RCE) vulnerabilities in the Veeam Backup & Replication solution.

These vulnerabilities, which include CVE-2025-23120, exploit weaknesses in deserialization mechanisms, potentially allowing any domain user to gain SYSTEM access to Veeam backup servers.

This is particularly concerning for organizations that have integrated their Veeam servers into their Active Directory domains.

CVE-2025-23120: Exploiting Deserialization Weaknesses

The exploitation is facilitated through the use of deserialization gadgets within the Veeam codebase.

Specifically, the researchers leveraged the Veeam.Backup.EsxManager.xmlFrameworkDs class, which extends the DataSet class, as per a report by WatchTowr Lab.

This makes it a potent gadget for achieving RCE due to its ability to call the parent class’s constructor, thus enabling immediate RCE capabilities.

namespace Veeam.Backup.EsxManager
{
    [Serializable]
    public class xmlFrameworkDs : DataSet
    {
        protected xmlFrameworkDs(SerializationInfo info, StreamingContext context)
            : base(info, context, false)
        {
            if (base.IsBinarySerialized(info, context))
            {
                this.InitVars(false);
                CollectionChangeEventHandler value = new CollectionChangeEventHandler(this.SchemaChanged);
                this.Tables.CollectionChanged += value;
                this.Relations.CollectionChanged += value;
                return;
            }
            //...
        }
    }
}

This vulnerability exploits the inherent weaknesses in blacklist-based deserialization security mechanisms.

Veeam had previously attempted to mitigate similar issues by extending their deserialization blacklist.

However, the researchers found that this approach is inherently flawed, as it hinges on maintaining an exhaustive list of malicious classes, which is nearly impossible given the vast number of potential gadgets in the .NET Framework and third-party libraries.

Privileges Required for Exploitation

To exploit these vulnerabilities, users need to access the Veeam .NET Remoting channel.

This access does not require administrative privileges; instead, any user belonging to the local Users group on the Windows host can exploit these vulnerabilities.

Even more alarming, when the Veeam server is joined to a domain, any domain user can exploit these flaws due to the way authorization checks are implemented in the Veeam Mount Service.

The authorization checks are performed by the CMountServiceAccessChecker.HasAccess method, which grants access if the user is in the WindowsBuiltInRole.User group.

This includes domain users if the domain configuration allows the Domain Users group to be added to the local Users group:

The discovery of these RCE vulnerabilities in Veeam Backup & Replication underscores the risks associated with using blacklist-based security mechanisms.

It highlights the importance of moving towards whitelist-only approaches to prevent similar vulnerabilities in the future.

For organizations using Veeam, it is crucial to apply the latest patches and consider isolating backup servers from domain networks to mitigate these risks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free