Pierluigi Paganini
March 20, 2025
Veeam addressed a critical security vulnerability, tracked as CVE-2025-23120 (CVSS score of 9.9), impacting its Backup & Replication software that could lead to remote code execution.
The vulnerability impacts 12.3.0.310 and all earlier version 12 builds, it was fixed with the release of version 12.3.1 (build 12.3.1.1139).
“A vulnerability allowing remote code execution (RCE) by authenticated domain users.” reads the advisory published by the company.
Security researcher Piotr Bazydlo of watchTowr reported the vulnerability. The vulnerability arises from a flawed deserialization handling implemented by Veeam, allowing attackers to bypass its blocklist and exploit missing gadgets to achieve remote code execution.
“This research would never happen if not for my colleague Sina. He insisted that I should have a look at the Veeam deserialization mechanism, and I would have never done this if not him.” wrote watchTowr. “He has also provided me all the knowledge needed for the exploitation, thus I only needed to focus on an easy stuff – gadget discovery.”
Any local user on the Veeam server, or any domain user if the server is domain-joined, can exploit the vulnerability.
Veeam’s patch blocks the identified gadgets, but similar risks remain if new deserialization gadgets are found.
“Given the size of the Veeam codebase, we wouldn’t be surprised if other researchers now find numerous further feasible deserialization gadgets.” concludes watchTowr. “It is hard for us to be positive about this, given the criticality of the solution, combined with the well-known and trodden ground of this solution being targeted by ransomware gangs.”
Backup & Replication
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Veeam)
