logo

Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)

VulnerabilityCVEEnterprise

Veeam has released fixes for a critical remote code execution vulnerability (CVE-2025-23120) affecting its enterprise Veeam Backup & Replication solution, and is urging customers to quickly upgrade to a fixed version.

Veeam Backup vulnerability CVE-2025-23120

There is currently no indication that the vulnerability is being leveraged by attackers. It was privately reported by researcher Piotr Bazydlo of watchTowr Labs, who followed the release of the patch with a technical write-up and pointers on how a proof-of-concept exploit for a previously discovered vulnerability (CVE-2024-40711) can be modified to exploit CVE-2025-23120.

About CVE-2025-23120

CVE-2025-23120 – which actually covers two RCE vulnerabilities based on similar deserialization gadgets – affects Veeam Backup & Replication versions 12, 12.1, 12.2, and 12.3. “Unsupported product versions are not tested, but are likely affected and should be considered vulnerable,” the company says.

The semi-good news is that the vulnerability affects only Backup & Replication servers that are joined to the organization’s Active Directory domain, and can be exploited only by authenticated domain users.

“Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration,” Rapid7 researchers noted.

They also pointed out that Veeam backup servers being accessed or exploited by attackers usually happens once an adversary has already established a foothold in the target environment.

“Imagine that any employee of your 50 000 people organization can get SYSTEM on your backup server. Kind of scary, right? Especially when you think about those threat actors that seemingly and magically appear to get shellz on your endpoints,” Bazydlo commented.

Keeping in mind that ransomware attackers usually go after backups, that Veeam Backup & Replication vulnerabilities are regularly exploited by them, and that clever attackers will know how to develop an exploit based on the available information, enterprise admins should move quickly.

“Customers should update to the latest version of the software (12.3 build 12.3.1.1139) immediately, without waiting for a regular patch cycle to occur,” Rapid7 researchers advised.

CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data

Free online web security scanner

Top News:

Microsoft confirms it's killing off Skype in May, after 14 years

Microsoft confirms it's killing off Skype in May, after 14 years

 February 28, 2025
Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts

Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts

 March 17, 2025
SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa

 March 11, 2025
Microsoft: New RAT malware used for crypto theft, reconnaissance

Microsoft: New RAT malware used for crypto theft, reconnaissance

 March 18, 2025
Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

 March 4, 2025
North Korean Lazarus hackers infect hundreds via npm packages

North Korean Lazarus hackers infect hundreds via npm packages

 March 12, 2025