watchTowr Labs researchers disclosed CVE-2025-23120, a critical deserialization remote code execution vulnerability in Veeam Backup & Replication with a CVSS score of 9.9. Every version 12 build up to and including 12.3.0.310 is affected. The patch is available in version 12.3.1 (build 12.3.1.1139), released by Veeam on March 28, 2025.
Deserialization Flaw in Two Core .NET Components
The vulnerability is rooted in unsafe .NET deserialization in two components: Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. When either component processes attacker-controlled serialized data, a malicious object graph can be injected — executing arbitrary code under the Veeam service account, which typically runs with SYSTEM or domain-level privileges. Veeam had previously deployed a class-based deserialization blacklist to block known gadget chains from earlier CVEs; watchTowr identified a new gadget chain that circumvents the existing blocklist entirely, making the blacklist-only approach an insufficient long-term defense.
Domain-Joined Veeam Servers: Any Domain User Can Exploit
The attack surface expands dramatically when Veeam Backup & Replication is joined to a Windows Active Directory domain — a common enterprise deployment. In this configuration, exploitation does not require a local or administrative account on the Veeam server itself; any authenticated domain user can reach the vulnerable endpoint. Ransomware operators have historically targeted Veeam infrastructure specifically because compromising backup servers allows them to delete or encrypt backup repositories, eliminating the victim’s recovery option. Veeam VBR deployments should never be domain-joined unless operationally required, and domain join status should be reviewed before patching if the host has been potentially compromised.
Patching CVE-2025-23120 in Veeam Backup & Replication
- Upgrade to Veeam Backup & Replication 12.3.1 (build 12.3.1.1139) — this is the only complete fix. The Veeam KB article for this release details upgrade prerequisites and rollback procedures.
- If immediate patching is not possible, block inbound access to the Veeam backup server’s management ports (TCP 9392, 9401) at the firewall for all non-administrative hosts.
- Remove the Veeam server from the Active Directory domain if it was joined unnecessarily — this eliminates the broad “any domain user” attack surface while the patch is staged.
- Audit backup repository permissions and confirm that backup files are stored on a separate, access-controlled network segment, not on the same host as the Veeam services.
- Review Windows Event Logs on the Veeam server for unexpected SYSTEM-level process spawning (e.g.,
cmd.exeorpowershell.exelaunched by Veeam service processes) to detect any exploitation attempts prior to patching.
Veeam CVEs have been weaponized by ransomware groups including Akira and EstateRansomware within weeks of disclosure in prior years. CVE-2025-23120’s CVSS 9.9 rating and the availability of a working proof-of-concept from watchTowr make the exploitation timeline for this vulnerability similarly short.
