Veeam has released an important security update to fix a critical remote code execution (RCE) vulnerability in its Backup & Replication software. Tracked as CVE-2025-23120, this flaw affects domain-joined installations and could allow attackers to execute malicious code remotely.
Vulnerability Details
The issue impacts Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company has addressed the flaw in version 12.3.1 (build 12.3.1.1139), which is now available for users to download and install.
Security researchers at watchTowr Labs, who discovered the flaw, identified it as a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes. Deserialization flaws occur when an application processes serialized data incorrectly, allowing attackers to inject and execute harmful code.
Why This Flaw Matters
Veeam had previously introduced a blacklist to block known exploitable objects in response to another deserialization RCE flaw discovered by security researcher Florian Hauser. However, watchTowr Labs found a new gadget chain that was not blacklisted, enabling remote code execution once again.
This discovery highlights an ongoing security concern for Veeam Backup & Replication servers, which have long been a target for ransomware gangs. Cybercriminals actively seek to compromise Veeam servers to steal data and disrupt backup restoration efforts.
Who Is at Risk?
The flaw only affects domain-joined Veeam Backup & Replication installations. However, the major risk comes from the fact that any domain user can exploit the vulnerability, making it an easy target in certain configurations.
Many organizations fail to follow Veeam’s best practices and have linked their backup servers to Windows domains, which increases their exposure to such security threats.
Potential for Exploitation
Currently, there are no known cases of this vulnerability being exploited in the wild. However, watchTowr has published technical details, making it likely that a proof-of-concept (PoC) exploit will emerge soon.
Given the historical interest of ransomware groups in Veeam software, it is crucial for organizations to take immediate action to secure their systems.
How to Protect Your System
To safeguard against this vulnerability, organizations should:
Update immediately to Veeam Backup & Replication version 12.3.1 (build 12.3.1.1139).
Follow Veeam’s best practices by reviewing security configurations.
Disconnect Veeam Backup & Replication servers from domain environments, if possible, to limit exposure.
Monitor security advisories for any new threats related to this flaw.
Conclusion
Veeam’s latest update addresses a serious security risk that could potentially lead to ransomware attacks and data theft. Organizations using Veeam Backup & Replication must act quickly to patch their systems and enhance security measures. By staying proactive, businesses can reduce the risk of cyberattacks and ensure their backup infrastructure remains protected.
For more details on the update and best practices, visit Veeam’s official security advisory page or contact your IT security team for immediate action.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Persistent Malware ‘DollyWay’ Infects 20,000 WordPress Sites Since 2016