- March 21, 2025
- Beazley Security Labs
Critical Vulnerability in Veeam Backup and Replication (CVE-2025-23120)
On March 19th, backup solution vendor Veeam published an advisory detailing a critical vulnerability in their Backup and Replication product. This product is used as a data backup and restoration solution, and the vulnerability is due to a deserialization bug that would allow an authenticated attacker to achieve remote code execution (RCE) on a targeted device. Ransomware threat actors often target Veeam to steal and destroy backups, and they could opportunistically leverage this vulnerability to enhance the impact and destruction of victim files.
Executive Summary
On March 19th, backup solution vendor Veeam published an advisory detailing a critical vulnerability in their Backup and Replication product. This product is used as a data backup and restoration solution, and[TS1] the vulnerability is due to a deserialization bug that would allow an authenticated attacker to achieve remote code execution (RCE) on a targeted device. Ransomware threat actors often target Veeam to steal and destroy backups, and they could opportunistically leverage this vulnerability to enhance the impact and destruction of victim files.
Affected Systems or Products
Veeam Backup and Replication products 12.3.0.310 and older are affected by this vulnerability.
Product | Affected | Unaffected |
|---|---|---|
Veeam Backup and Replication | 12.3.0.310 and all earlier 12 version builds | 12.3.1 and greater |
A hotfix has also been developed for version 12.3, but per Veeam it can only be installed if no other hotfixes have been installed for this version because it could overwrite prior hotfixes.
Mitigations / Workarounds
The primary mitigation to this vulnerability is to apply the latest updates provided by Veeam. Other best practices include:
Detach Veeam backup appliances from domain memberships to reduce compromise from Active Directory.
Separate Veeam servers into their own management network and firewall access to allow only trusted admin networks.
Only allow access to Veeam management infrastructure by authorized backup administrators.
Patches
Patches for this vulnerability have been released and can be found on Veeam’s website. It is recommended that any vulnerable systems be updated to version 12.3.1. If this is not possible, a hotfix has been made for build 12.3 (12.3.0.310) that can only be applied if no other hotfixes have been previously installed because the older hotfixes may be overwritten.
Indicators of Compromise
At the time of this writing, Veeam has not released any public indicators of compromise for this vulnerability. However, administrators should monitor activities on Veeam server infrastructure by setting up audit logging and alerts for:
Unusual activity such as unexpected processes spawned on Veeam systems
Unexpected data exfiltration from backup systems
New or unrecognized user accounts attempting to access Veeam
Unexpected configuration changes to Veeam management systems
Unexpected updates to encryption keys or backup targets
Technical Details
Veeam Backup and Replication versions 12.3.0.130 and earlier have a critical vulnerability that enables authenticated domain users to perform remote code execution. This flaw exists due to improper handling protections of serialized data within the Veeam’s solution code and reliance on a blocklist filter that only protects against previously identified dangerous datatypes.
Veeam processes certain types of data using deserialization, a method that reconstructs stored or communicated data into a structure and object in a format the system can process. These objects can sometimes be reconstructed as configuration settings, backup summaries, etc. Attackers who may have already gained domain user credentials on the same domain as Veeam backup servers could exploit this flaw to execute malicious code on the server and gain control over backup infrastructure.
In a blog by Watchtowr, some dangerous data types were reportedly not recognized within Veeam’s existing blocklist, meaning an attacker could craft a serialized request that bypasses Veeam’s filter, tricking Veeam into deserializing a malicious payload.
While an attacker must have valid domain user credentials to exploit CVE-2025-23120, Veeam backups are a high-value target for ransomware actors to steal and destroy data backups, causing operational impacts to a client. Backup systems are also often set up with administrator-level access to other systems, which could allow attackers to compromise other assets on the network.
How Beazley Security is responding
Beazley Security is monitoring client environments to identify impacted devices and support organizations to remediate any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts of this vulnerability against our clients.