Veeam Backup & Replication software is a popular tool used by organizations to back up and restore their data. Due to the critical nature of the data it protects, the software is often a target for ransomware gangs, who aim to steal data and block restoration efforts by deleting backups. The newly discovered vulnerability makes Veeam installations even more attractive targets, as it simplifies the process for threat actors to breach the servers.
CVE-2025-23120
This vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. Veeam has addressed the issue in version 12.3.1 (build 12.3.1.1139), which was recently released. The vulnerability is a deserialization flaw present in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes. Deserialization flaws occur when an application improperly processes serialized data, potentially allowing attackers to inject malicious objects that can execute harmful code.
Last year, a similar deserialization RCE flaw was discovered by researcher Florian Hauser. To fix that flaw, Veeam implemented a blacklist of known classes or objects that could be exploited. However, watchTowr Labs discovered a different gadget chain that bypassed this blacklist, leading to the current vulnerability. This indicates that despite previous incidents, Veeam’s attempts to fully address deserialization issues were insufficient. The current vulnerability impacts Veeam Backup & Replication installations that are joined to a domain. This is particularly concerning because many companies, against Veeam’s best practices, have joined their Veeam server to a Windows domain. This configuration makes the vulnerability easily exploitable by any domain user.
Although there are no reports of this flaw being exploited in the wild, watchTowr Labs has shared enough technical details that a proof-of-concept (PoC) exploit could be developed and released soon. Given the high interest of ransomware gangs in Veeam Backup & Replication servers, the article strongly advises companies using the software to prioritize upgrading to version 12.3.1 as soon as possible. Additionally, it is recommended to review Veeam’s best practices and disconnect the server from the domain to mitigate the risk.
Veeam security advisory: https://www.veeam.com/kb4724