Data resilience solutions provider Veeam Software has released a crucial patch for its Veeam Backup & Replication product to address a significant remote code execution vulnerability. This issue arises from a deserialization flaw that allows authenticated accounts in the local user group on a Windows server to execute code as the SYSTEM user. The risk escalates significantly for Veeam servers connected to Active Directory (AD) domains, as domain users are typically included in the local user group on these machines. This means that if attackers can run malicious code on any Windows machine within the network, they could further exploit this vulnerability on the Veeam server.
The vulnerability has been assigned the identifier CVE-2025-23120. However, security researchers from the firm watchTowr believe that it represents two separate vulnerabilities due to the different exploitation methods available.
Veeam is advising users to upgrade to version 12.3.1 of the product or apply a specific hotfix for version 12.3 if an immediate upgrade is not feasible. It’s worth noting that this hotfix is only applicable to deployments that haven’t received other hotfixes, as it may inadvertently replace them.
This flaw is linked to a previous vulnerability assigned CVE-2024-40711, which was never fully addressed. WatchTowr found that the earlier patch failed to cover all cases, opening the door to renewed attacks. Veeam Backup & Replication has been targeted by ransomware groups and other cybercriminals for exploiting older vulnerabilities multiple times since 2023.
The vulnerability pertains to how data is serialized (converted to a byte stream for application transmission) and deserialized (the reverse process). Many previous vulnerabilities of this type across various programming languages stem from handling untrusted input during deserialization.
Application developers often attempt to mitigate deserialization risks by creating blacklists of classes deemed dangerous. Unfortunately, researchers indicate that this approach tends to be incomplete, as it relies on the assumption that all harmful classes can be cataloged. They point out that historical evidence shows blacklists can be circumvented, illustrating the flaws in that methodology.
For instance, Veeam kept a list of classes prohibiting their deserialization via the .NET BinaryFormatter. When the CVE-2024-40711 was reported, the company added a specific class, but subsequent discoveries by watchTowr led to the identification of more exploitable classes requiring blacklisting and ultimately resulted in the new CVE-2025-23120.
The ease with which the latest vulnerability can be exploited has raised concerns about the effectiveness of blacklisting as a security measure. WatchTowr’s researchers assert that protecting deserialization sinks through such methods should be reconsidered, as vulnerabilities will inevitably arise, regardless of the meticulousness of the blacklist.
For further details, refer to Veeam’s security advisory and the analysis by watchTowr.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
