Emergency Security Bulletin: Veeam Backup & Replication Vulnerability

featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Veeam Backup & Replication Remote Code Execution Vulnerability 

CVSS Score: 9.9 (Critical) 
Identifier: CVE-2025-23120 
Exploit or POC: Yes, a proof-of-concept exploit has been publicly disclosed.  
Update: CVE-2025-23120 – Veeam Security Advisory

Description: CVE-2025-23120 is a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication versions 12.3.0.310 and earlier. This vulnerability arises from a deserialization flaw in specific .NET classes (Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary). Authenticated domain users can exploit this flaw to execute arbitrary code on the backup server. Notably, this vulnerability affects only domain-joined backup servers, a configuration that contradicts Veeam's security best practices. 

Mitigation Recommendation: Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139). Administrators are strongly advised to upgrade to this version immediately. For environments where immediate upgrading is not feasible, Veeam has provided a hotfix for version 12.3.0.310. Additionally, it is recommended to review the security configuration of backup servers and ensure they are not joined to Active Directory domains, aligning with Veeam's security and compliance best practices. 

Note: Given the availability of a proof-of-concept exploit and the critical nature of this vulnerability, prompt action is essential to safeguard backup infrastructure from potential attacks.