Security Intelligence
Veeam has released an update to address a critical vulnerability that impacts domain-joined instances of its Backup & Replication (VBR) software. The flaw, designated CVE-2025-23120, is a deserialization flaw that, if successfully exploited, could allow remote code execution (RCE).
In 2024, researchers discovered a different deserialization vulnerability in VBR, CVE-2024-40711, and disclosed it to Veeam. The company addressed the flaw by implementing a blocklist of known classes or objects that could be exploited. CVE-2025-23120 exploits chain of function calls that aren’t included in this blocklist.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
CVE-2025-23120 is somewhat mitigated by the fact that it only impacts VBR instances that have been joined to a domain. However, despite Veeam’s recommendation not to do so, many companies choose to join their VRB servers to a Windows domain, making them vulnerable to CVE-2025-23120.
CVE-2025-23120 affects version 12.3.0.310 and all earlier version 12 builds of VBR. Veeam is urging impacted customers to upgrade to 12.3.1 as soon as possible.
Source: Bleeping Computer
Analysis
VBR has historically been a prime target of ransomware actors since it offers the opportunity to steal data backups for extortion purposes or to encrypt backups, limiting the recovery options of victims, and thus increasing the chances of ransom payments.
Several critical deserialization vulnerabilities have plagued VBM over the last two years. For example, the vulnerability referenced above, CVE-2024-40711, was exploited by multiple ransomware groups, including Frag, Akira, and Fog. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-40711 to its catalog of known exploited vulnerabilities and ordered federal agencies using VBM to secure their software within a month.
In 2023, a similar vulnerability in VBR, designated CVE-2023-27532, was quickly exploited by financially motivated and ransomware actors, despite a patch being available. Several months later, Cuba ransomware affiliates used the same vulnerability in attacks targeting U.S. critical infrastructure and IT companies based in Latin America.
Considering the abuse of CVE-2024-40711 and CVE-2023-27532, it’s likely only a matter of time before ransomware groups begin exploiting CVE-2025-23120 in a similar fashion.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in backup software like VBM. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of the affected Veeam products update to the latest version as soon as possible, in accordance with the advisory. Additionally, companies who have joined their VBM server to their domain should consider not doing so as recommended by Veeam.
