Full Report
Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution. The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds. "A vulnerability allowing remote code execution (RCE) by authenticated domain users," the
Analysis Summary
This summary focuses only on the Veeam vulnerability as the details for the IBM AIX vulnerabilities were not sufficiently detailed in the provided snippet to fully fill out all required sections (like CWE, specific impact details, etc.).
# Vulnerability: Critical Remote Code Execution in Veeam Backup & Replication via Deserialization
## CVE Details
- CVE ID: CVE-2025-23120
- CVSS Score: 9.9 (Critical)
- CWE: Inconsistent deserialization mechanisms, allowing bypass of blocklists (related: CWE-502: Deserialization of Untrusted Data)
## Affected Systems
- Products: Veeam Backup & Replication
- Versions: Build 12.3.0.310 and all earlier version 12 builds.
- Configurations: Exploitable by any user belonging to the local 'users' group on the Windows host of the Veeam server, or any domain user if the server is domain-joined.
## Vulnerability Description
The vulnerability is rooted in Veeam's inconsistent handling of its deserialization mechanism. While the system employed a blocklist approach for risky data, researchers found that an allowlisted class could be deserialized, which led to an inner deserialization process utilizing a blocklist-based approach. This allowed an attacker to leverage specific serialization gadgets (`Veeam.Backup.EsxManager.xmlFrameworkDs` and `Veeam.Backup.Core.BackupSummary`) that were missing from the blocklist to trigger Remote Code Execution (RCE).
## Exploitation
- Status: PoC available (Implied by researchers discovering and reporting the bypass)
- Complexity: Low (Exploitable by authenticated domain users)
- Attack Vector: Network (Requires authentication as a local or domain user)
## Impact
- Confidentiality: High (Potential access to sensitive backup data/server infrastructure)
- Integrity: High (Ability to modify or execute arbitrary code)
- Availability: High (Potential for system shutdown or denial of service)
## Remediation
### Patches
- Veeam Backup & Replication version 12.3.1 (build 12.3.1.1139)
### Workarounds
- No specific workarounds were detailed in the provided text other than applying the patch.
## Detection
- Detection methods rely on monitoring interactions with the vulnerable deserialization endpoints. Specific IoCs were not provided in the source text.
## References
- Vendor Advisory: https://www-veeam-com/kb4724
- Researcher Disclosure: https://labs-watchtowr-com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/
***
## Additional High-Risk Flaws (IBM AIX)
Two additional critical flaws were noted for IBM AIX, summarized below:
### CVE-2024-56346
- **Severity:** 10.0 (Critical)
- **Description:** Improper access control vulnerability allowing a remote attacker to execute arbitrary commands via the **AIX nimesis NIM master service**.
### CVE-2024-56347
- **Severity:** 9.6 (Critical)
- **Description:** Improper access control vulnerability allowing a remote attacker to execute arbitrary commands via the **AIX nimsh service SSL/TLS protection mechanism**.
**IBM AIX Remediation Note:** IBM has shipped fixes for these issues impacting AIX versions 7.2 and 7.3. Users should consult the IBM support links for specific patch versions.