Full Report
Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
Analysis Summary
# Vulnerability: Veeam Backup & Replication Unpatched Deserialization RCE
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to Insecure Deserialization.
## Affected Systems
- Products: Veeam Backup & Replication
- Versions: Versions prior to 12.3.1 (implied, as 12.3.1 is the fix).
- Configurations: Installations that are joined to an Active Directory domain.
## Vulnerability Description
The vulnerability is an insecure deserialization flaw that allows an attacker to achieve Remote Code Execution (RCE). This appears to be a bypass of a previous fix where Veeam attempted to use a blacklist approach for deserialization issues. Researchers found a different "gadget chain" that was not on the blacklist, enabling them to successfully achieve RCE.
## Exploitation
- Status: Not reported as exploited in the wild, but a Proof-of-Concept (PoC) is anticipated due to the publicly shared technical details.
- Complexity: Implied to be Low to Medium, as it only requires domain user privileges to exploit.
- Attack Vector: Network (since it targets a domain-joined server accessible by a domain user).
## Impact
- Confidentiality: High (Potential access to sensitive backup data/system information).
- Integrity: High (Ability to execute arbitrary code on the backup server).
- Availability: High (Ability to delete or corrupt backups, hindering disaster recovery).
## Remediation
### Patches
- Veeam Backup & Replication version 12.3.1 (or later versions addressing this vulnerability).
### Workarounds
- Remove the Veeam Backup & Replication server from the Active Directory domain (operate in a Workgroup configuration), as the vulnerability specifically impacts domain-joined installations.
- Review and implement Veeam's long-standing security hardening best practices.
## Detection
- Detection methods focus is on monitoring for unusual activity originating from domain user accounts targeting the Veeam server, especially those attempting remote code execution or service manipulation. Since the vulnerability allows RCE, standard endpoint/network monitoring for command execution or suspicious process creation on the Veeam server should be prioritized.
## References
- Vendor Advisory (Implied via patch availability, search for Veeam Security Update relevant to RCE/Deserialization): [Defanged URL Placeholder]
- Research/Reporting Mentioned: [Defanged URL Placeholder] - Researcher Frycos research mentioned as context.