Veeam patches critical vulnerability in Backup & Replication software
Take action: If you are using Veeam Backup and Replication server, this is a priority patch. Naturally, make sure the server is isolated from the internet. But isolating the server isn't a full solution much since it's attack vector is an authenticated user on the domain. Patch your Veeam system ASAP!
Learn More
Veeam has released an urgent security update to address a critical vulnerability in its widely used Backup & Replication software.
The flaw, tracked as CVE-2025-23120 (CVSS score 9.9) and could allow authenticated domain users to execute malicious code remotely on affected systems. This flaw impacts domain-joined backup servers, which contradicts Veeam's own security best practices that state backup servers should never be part of a production domain. Security experts at Rapid7 believe this is still "a relatively common configuration" in real-world deployments.
The vulnerability arises from how Veeam implemented protection against deserialization attacks using a whitelist-based mechanism that is partly based on a blocklist. Researchers indicated that exploiting the flaw would be "super simple" for attackers familiar with a similar vulnerability (CVE-2024-40711) that was patched in September 2024.
The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. Unsupported product versions (version 11 and earlier) haven't been tested but are likely affected and should be considered vulnerable.
Security researcher Piotr Bazydlo of watchTowr, who discovered and reported the vulnerability on February 5, 2025, warned: "If you have not patched your Veeam server and it is joined to your AD domain, you are probably in real danger."
Veeam has released version 12.3.1 (build 12.3.1.1139) to fix the vulnerability. For deployments running version 12.3.0.310 that cannot immediately update, a hotfix is available, but only if no other hotfixes have been previously installed.
