Veeam warns of a critical Remote Code Execution (RCE) vulnerability that allows cybercriminals to hack backup servers. In particular, backup servers that are bound to a specific domain.
The new vulnerability, tracked as CVE-2025-23120, is what is known as a deserialization vulnerability in Veeam.Backup.EsxManager,xmlFrameworkDs and Veeam.backup.Core.BackupSummarry .NET classes, according to researchers at watchTowr Labs in a further investigation.
A deserialization vulnerability occurs when an application processes incorrectly serialized data. This allows hackers to inject malicious objects or gadgets that can perform malicious actions (remotely).
This cyber threat can be exploited by users belonging to a local user group on the Windows host of a Veeam Backup & Replication server. When this server is linked to a domain, all end users of this domain can exploit the vulnerability and run (malicious) code remotely.
New gadget chain
Previous deserialization errors in its software have long plagued Veeam. It has also released a blacklist with all objects and classes that can perform malicious actions. According to the researchers, however, this list is not complete and they have now discovered a new gadget chain for CVE-2025-23120 that hackers can exploit.
The recently discovered RCE vulnerability can only be exploited if cybercriminals are able to successfully authenticate themselves. According to the experts at watchTowr, this is very easy. They believe Veeam Backup & Replication’s authentication requirements are not properly secured and that the vulnerabilities they have discovered could pose serious risks.
Patch available
The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all previous version 12 builds. Veeam has now released a patch and end users are strongly advised to upgrade quickly to version 12.3.1 (build 12.3.1.1139).
As watchTowr also indicates, Veeam Backup & Replication is often affected by vulnerabilities. At the end of last year, six patches were released for this solution.
Also read: Veeam affected by critical vulnerabilities, patching required