- Veeam launched a patch for a 9.9/10 gravity failure that can lead to RCE
- It was found in Veeam Backup & Restorration
- The error only works in facilities attached to a domain
Veeam launched a patch for a critical level vulnerability recently discovered in its backup and replication software.
Vulnerability, tracked as CVE-2025-23120, is described as a deerialization failure that allows authenticated domain users to carry out remote code execution attacks (RCE). He was given a gravity score of 9.9/10 (critic), and affects Veeam Backup & Replication 12.3.0.310 and all the constructions of the previous version 12.
It was solved with version 12.3.1 (Compilation 12.3.1.1139).
Black and White Lists
The error was discovered by cybersecurity researchers Watchtowr Labs, who criticized Veeam for the way he addresses deerialization problems:
“It seems Veeam, despite being the favorite playing toy of a ransomware gang, did not learn after the lesson given by Frycos in previous investigations published. They supposed it, they solved the problems of deerialization by adding entries to their black list of deerialization,” the researchers explained.
Adding tickets to a blacklin of deerialization does not work because computer pirates can always find new paths, and developers will always end up being reagents to their behavior, Watchtowr explained. Instead, he suggests that Veeam should opt for a white list approach.
Despite its critical gravity, the error is not so simple of explicit, since it only affects the backup and replication facilities of Veeam together with a domain.
On the negative side, any domain user can exploit the error. Bleepingcomputer He states that “many companies” joined their Veeam to a Windows domain, “ignoring the best practices of the company.”
The same publication affirms that ransomware gangs have already told them that they always go to Veeam backup and replication servers, since they are an easy way in confidential information files, and allow them to block any restoration effort and backup effort.
At the time of publication, there were no reports of bankruptcy abuse, but it is safe to assume what will be, and soon, now that the cat is out of the bag.
If your company is using the backup and the replication of Veeam, be sure to update it to version 12.3.1 as soon as you can.
Through Bleepingcomputer
