Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-23120
CVE-2025-23120:
Veeam Backup & Replication vulnerability analysis and mitigation
Overview
CVE-2025-23120 is a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication software, discovered by Piotr Bazydlo of watchTowr and disclosed on March 19, 2025. The vulnerability affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds, particularly impacting domain-joined backup servers. It received a CVSS v3.1 score of 9.9, indicating critical severity (Veeam KB4724, Rapid7 Blog).
Technical details
The vulnerability is a deserialization of untrusted data issue, similar to the previous CVE-2024-40711. It involves two specific deserialization gadgets: xmlFrameworkDs and BackupSummary, both of which extend the DataSet class and can be exploited to achieve remote code execution. The vulnerability can be exploited by any user belonging to the local users group on the Windows host running Veeam server, or by any domain user if the server is joined to an Active Directory domain (WatchTowr Labs).
Impact
If successfully exploited, the vulnerability allows authenticated domain users to execute remote code on the backup server with SYSTEM privileges. This is particularly concerning as backup solutions are commonly targeted by threat actors, and Veeam Backup & Replication has a very large deployment footprint. According to Rapid7's incident response data, more than 20% of their cases in 2024 involved Veeam being accessed or exploited in some manner (Rapid7 Blog).
Mitigation and workarounds
Veeam has released version 12.3.1 (build 12.3.1.1139) to address this vulnerability. For existing deployments of version 12.3 (build 12.3.0.310), a hotfix is available for customers who cannot immediately update to version 12.3.1. Organizations running versions lower than 12.3.0.310 should upgrade directly to version 12.3.1. Additionally, Veeam recommends ensuring that Backup & Replication is not exposed to the internet (Veeam KB4724).
Community reactions
On March 28, 2025, security researchers at CODE WHITE GmbH reported on social media that it was possible to bypass the patch for CVE-2025-23120. While Rapid7 has not directly confirmed the patch bypass, they expressed confidence in the validity of the finding (Rapid7 Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management