Data resilience solutions provider Veeam Software has recently addressed a critical remote code execution vulnerability in its Veeam Backup & Replication product with a new patch. This flaw, identified as CVE-2025-23120, emerges from an incomplete fix related to a previous vulnerability (CVE-2024-40711) that had already been exploited by ransomware attackers.
The current flaw allows any authenticated user within the local users group of a Windows host to potentially execute code on the Veeam server. This risk is particularly pronounced for Veeam servers that are part of an Active Directory (AD) domain, as domain users are typically integrated into the local users group. This means that if malicious code is executed on a Windows machine connected to the same network, attackers can exploit this vulnerability using the account of that computer.
Researchers at the security firm watchTowr have indicated that the recent vulnerability should be classified as two separate issues due to different exploitation pathways. Users are urged to upgrade to Veeam Backup & Replication version 12.3.1 or apply a critical hotfix if an upgrade isn’t feasible. However, this hotfix can only be applied to installations not previously updated with other hotfixes.
The vulnerability can be traced back to mismanaged deserialization processes, with the original patch relying on a blacklist approach to mitigate exploit risks. WatchTowr highlighted the shortcomings of such methodologies, pointing out that blacklists are often ineffective due to their reliance on the assumption that all dangerous classes can be identified and monitored. They argue that, regardless of the protective measures, the potential for future exploitation remains high.
To mitigate this issue, Veeam had previously blacklisted certain known exploitable classes; however, further vulnerabilities have since been identified. Simple modifications have allowed attackers to adapt existing exploits used for older vulnerabilities, demonstrating the inefficacy of blacklists in preventing new attack vectors.
In conclusion, organizations using Veeam should prioritize upgrading their systems following this critical patch, as the consequences of exploitation could be severely detrimental.
Related Links: