Backup, recovery, and data protection firm Veeam on Wednesday announced patches for a critical-severity vulnerability in its Backup & Replication product that could allow attackers to execute arbitrary code remotely.
In a scarce advisory, Veeam notes that the security defect, tracked as CVE-2025-23120 (CVSS score of 9.9), could allow for “remote code execution (RCE) by authenticated domain users”, and that Backup & Replication version 12.3.0.310 and previous version 12 builds are affected.
The company recommends updating to Backup & Replication version 12.3.1 (build 12.3.1.1139), which includes patches for the flaw.
According to cybersecurity firm watchTowr, which was credited for reporting the vulnerability, CVE-2025-23120 is rooted in a broader issue within Veeam’s deserialization mechanism, which the company has failed to properly address.
Veeam Backup & Replication, watchTowr says, follows the industry standard of controlling which classes can be deserialized, by implementing an allow-list, but also fails to implement proper deserialization procedures, as one of the allowed classes leads to inner deserialization, which implements a block-list instead.
Veeam’s patches for previously reported deserialization flaws involved adding entries to the block-list, and, due to this configuration and Backup & Replication’s large codebase, new deserialization gadgets that can be exploited to achieve code execution can still be found, watchTowr says.
CVE-2025-23120, the cybersecurity firm explains, can be linked to CVE-2024-40711, a critical-severity RCE flaw disclosed in September 2024 and exploited in ransomware attacks less than a month later.
It can also be linked to CVE-2024-42455, a high-severity bug allowing “an authenticated user with a role assigned in the Users and Roles settings on the backup server to connect to remote services and exploit insecure deserialization by sending a serialized temporary file collection, thereby enabling the deletion of any file on the system with service account privileges”.
Essentially, watchTowr says, an attacker can identify this type of issues in Backup & Replication by searching the product’s codebase for deserialization gadgets that are not block-listed, and which could have a malicious impact.
The cybersecurity firm itself identified two such issues (collectively tracked as CVE-2025-23120), including one that can be exploited by modifying proof-of-concept (PoC) code targeting CVE-2024-40711.
watchTowr also warns that, while the exploitation of the new vulnerability requires for the attacker to be logged in, “the authentication requirement is fairly weak.”
Related: Veeam Warns of Critical Vulnerability in Service Provider Console
Related: Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands
Related: Year-Old Veeam Vulnerability Exploited in Fresh Ransomware Attacks
Related: Critical Veeam Vulnerability Leads to Authentication Bypass