A vulnerability allowing remote code execution (RCE) by authenticated domain users.
Severity: CriticalCVSS v3.1 Score: 9.9
Impact: This vulnerability only impacts domain-joined backup servers.
A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. With a near-maximum CVSS score, this flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructures.
What Makes CVE-2025-23120 So Dangerous?The CVE-2025-23120 (CVSS 9.9) vulnerability stems from a deserialization flaw in the Veeam Backup & Replication softwareβs .NET-based components, specifically within the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary classes. These components mishandle serialized data, allowing malicious actors to craft input that executes arbitrary code on the server.
Critically, the flaw only affects installations joined to a Windows domain β a configuration many organizations adopt despite Veeamβs longstanding guidance to avoid it. In such cases, any domain user can exploit the vulnerability, regardless of their privilege level.
CVE-2025-23120 impacts Veeam Backup & Replication version 12.3.0.310 and all earlier builds of version 12.
How the Exploit WorksAt the core of this vulnerability is Veeamβs reliance on a blacklist approach to prevent insecure deserialization. While this method blocks known dangerous object types, it leaves room for attackers to identify unlisted gadgets. In this case, researchers at watchTowr Labs discovered a gadget chain that bypasses the blacklist by abusing the .NET DataSet class β well-known in the security community for its Remote Code Execution (RCE) capabilities.
This attack vector can be used by anyone with access to the Domain Users group, which typically includes all standard domain accounts. Once exploited, it could provide complete control over the backup server, potentially allowing attackers to delete backups, manipulate data, or establish persistence.
Immediate Mitigation Steps for CVE-2025-23120Veeam has issued a patch via Backup & Replication version 12.3.1 (build 12.3.1.1139), and all users of affected versions are strongly encouraged to update immediately. The software vendor has not reported any exploitation in the wild as of now, but the public availability of technical details makes this vulnerability highly likely to be weaponized soon.
Here are the best practices going forward:
Update to version 12.3.1 immediately. Delaying patches in this case may leave critical infrastructure vulnerable to ransomware and other advanced attacks.Avoid domain-joined installations unless absolutely necessary. Veeam has long advised against this configuration for good reason.Review server exposure and privileges. Ensure backup servers are segmented from general user access and are not accessible externally.See the official Veeam advisory for CVE-2025-23120 here.
Why This Matters for Security TeamsBackup infrastructure represents a high-value target for attackers, especially ransomware operators. If they can control or disable backups, the odds of a successful extortion increase dramatically. Given the history of actively exploited vulnerabilities in Veeam products, CVE-2025-23120 should not be taken lightly. Organizations relying on Veeam must not only patch promptly but also reassess their architectural decisions, especially those involving domain integration and internal user access.