Veeam, a leading data protection and backup solutions provider, has released an urgent security patch for a severe vulnerability in its Backup & Replication software. The flaw, tracked as CVE-2025-23120, carries a CVSS score of 9.9, making it a critical threat to organizations relying on Veeam for data protection.
According to the company’s advisory, this serious security loophole allows authenticated domain users to remotely execute arbitrary code. The vulnerability impacts Backup & Replication version 12.3.0.310 and earlier version 12 builds. Veeam strongly advises customers to upgrade immediately to version 12.3.1 (build 12.3.1.1139), where the flaw has been patched.
Deserialization Flaw Fuels Remote Code Execution Risk
The flaw’s roots lie deep within Veeam’s deserialization mechanism, as reported by cybersecurity firm watchTowr, which discovered the issue. While Veeam uses a typical allow-list approach to control which classes can be deserialized, the patchwork fixes and weak block-list implementation leave the system vulnerable.
One of the allowed classes initiates inner deserialization, bypassing the safeguards. This flawed design allows attackers to manipulate the process, potentially leading to full system compromise.
Previous patches added entries to the block-list, but watchTowr highlights that the vast codebase leaves room for new “deserialization gadgets”—elements within the code that attackers can weaponize to achieve remote code execution (RCE).
A Dangerous Pattern of Exploitable Bugs
The newly discovered CVE-2025-23120 is worryingly similar to earlier vulnerabilities in Veeam’s software. For instance, CVE-2024-40711, disclosed in September 2024, was rapidly exploited in ransomware attacks. It shares the same deserialization weakness, offering attackers a path to compromise systems.
Another linked flaw, CVE-2024-42455, exposed a separate risk where authenticated users could abuse insecure deserialization to delete critical files on the server with system-level privileges.
These repeated issues reveal a concerning pattern in Veeam’s handling of deserialization security, leaving systems exposed until properly patched.
Weak Authentication Increases the Threat Surface
While exploiting CVE-2025-23120 requires user authentication, watchTowr warns that the authentication barrier is weak. This means determined attackers can potentially gain access with minimal effort, especially in poorly secured environments.
The firm demonstrated how attackers could reuse proof-of-concept (PoC) exploits originally developed for CVE-2024-40711 to exploit the new flaw with slight modifications.
This alarming ease of exploitation further underscores the critical nature of the vulnerability and the importance of applying Veeam’s latest patch without delay.
Immediate Action Required: Update to Stay Protected
Organizations using Veeam Backup & Replication must act swiftly to prevent potential breaches. Upgrading to the latest version 12.3.1 (build 12.3.1.1139) will close the door on this vulnerability and reinforce your data protection infrastructure.
In addition, it’s advisable to review user access rights, strengthen authentication processes, and conduct thorough security audits to identify any lingering exposure to deserialization attacks.
