Veeam Patches Critical Remote Code Execution Vulnerability in Backup & Replication Software
Veeam has issued security updates to fix a critical vulnerability in its Backup & Replication software, which could allow remote code execution (RCE) by authenticated users.
The flaw, identified as CVE-2025-23120, has been assigned a CVSS score of 9.9 out of 10 and affects version 12.3.0.310 and all earlier version 12 builds.
According to Veeam’s advisory, the vulnerability could be exploited by authenticated domain users, allowing them to execute malicious code remotely. Security researcher Piotr Bazydlo of watchTowr discovered and reported the flaw, which has been patched in version 12.3.1 (build 12.3.1.1139).
Bazydlo, along with researcher Sina Kheirkhah, explained that the flaw arises from inconsistent deserialization handling within Veeam’s software. Attackers can bypass the security blocklist by using unrestricted deserialization gadgets, specifically Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary, to execute arbitrary code.
The exploit can be carried out by any user in the local users group on the Windows host running Veeam, and if the server is joined to a domain, any domain user could exploit the flaw.
To mitigate the risk, Veeam’s patch adds the affected deserialization gadgets to the blocklist. However, researchers warn that similar vulnerabilities could reappear if other deserialization methods bypass the updated security measures.
This development follows IBM’s release of security fixes for two critical vulnerabilities in its AIX operating system, which could also allow remote command execution.
The vulnerabilities affect AIX versions 7.2 and 7.3:
- CVE-2024-56346 (CVSS 10.0) – An improper access control flaw in the AIX nimesis NIM master service, allowing remote command execution.
- CVE-2024-56347 (CVSS 9.6) – An access control vulnerability in the AIX nimsh service SSL/TLS mechanism, enabling remote attackers to execute arbitrary commands.
- While there is no evidence of active exploitation, users are strongly advised to apply the patches immediately to protect against potential threats.
