Executive Summary

On March 20, 2025, a critical vulnerability identified as CVE-2025-23120 was disclosed, targeting organizations utilizing Veeam Backup & Replication servers, notably those integrated into Windows domains. The vulnerability represents a remote code execution (RCE) flaw, potentially exploitable by any domain user, and could be particularly appealing to ransomware groups notorious for targeting backup infrastructures. Immediate patching and adherence to security best practices are imperative to mitigate risks.

Technical Information

The CVE-2025-23120 vulnerability resides within the Veeam Backup & Replication software, specifically affecting version 12.3.0.310 and all earlier builds of version 12. This vulnerability is rooted in a deserialization flaw within the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Deserialization vulnerabilities occur when serialized data is inadequately processed, allowing malicious actors to inject and execute harmful objects within the application environment.

This RCE flaw is critical as it provides unauthorized users the ability to execute arbitrary code on vulnerable servers. The flaw can be exploited by any domain user, significantly increasing its risk profile. Notably, while no active exploitation has been reported, the detailed technical analysis by watchTowr Labs suggests a proof-of-concept (PoC) could be imminent, highlighting the urgency for organizations to secure their systems.

Organizations with Veeam servers connected to a Windows domain are at heightened risk, as ransomware gangs have a history of targeting such servers for data theft and hindering restoration efforts by deleting backups. The breach potential underscores the necessity for immediate defensive actions, including patching and system configuration reviews to prevent unauthorized access.

Exploitation in the Wild

Despite no current reports of CVE-2025-23120 exploitation in the wild, its characteristics make it an attractive target for malicious entities. The ease with which domain users can exploit the flaw, combined with the critical nature of backup systems, suggests that it could become a focal point for cybercriminals, particularly those involved in ransomware operations. Organizations should remain vigilant and monitor for any indicators of compromise, such as unusual network activity or unauthorized access attempts.

APT Groups using this vulnerability

Currently, there are no specific Advanced Persistent Threat (APT) groups known to be exploiting CVE-2025-23120. However, given the historical interest of ransomware gangs in targeting backup systems, organizations should maintain heightened awareness and implement robust monitoring to detect potential exploitation attempts.

Affected Product Versions

The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all preceding builds of version 12. Users of these versions are urged to upgrade immediately to mitigate potential risks associated with this flaw.

Workaround and Mitigation

To mitigate the risks associated with CVE-2025-23120, organizations are advised to upgrade to Veeam Backup & Replication version 12.3.1 (build 12.3.1.1139), where the vulnerability is addressed. Additionally, consider detaching the Veeam server from the domain to limit potential exploitation pathways. Implement routine security audits, review access permissions, and monitor systems for anomalous behaviors to further safeguard against unauthorized exploitation.

References

• BleepingComputer Article on Veeam RCE Bug
• Technical writeup by watchTowr Labs

Rescana is here for you

Rescana's Third Party Risk Management (TPRM) platform is committed to assisting organizations in navigating cybersecurity challenges. Our platform provides comprehensive risk assessments to identify and mitigate vulnerabilities, ensuring the security and resilience of your systems. Should you have any questions or require further assistance, please do not hesitate to contact us at ops@rescana.com.