CVE-2025-23120 – Veeam Backup & Replication RCE Vulnerability

TL;DR

• CVE-2025-23120: A critical remote code execution (RCE) vulnerability in Veeam Backup & Replication.
• Severity: 9.9 (CRITICAL) on the CVSS scale.
• Affected Systems: Veeam Backup & Replication versions 12.3.0.310 and earlier.
• Exploitation: Requires authenticated domain users; impacts domain-joined backup servers.
• Patch Available: Fixed in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139).
• Red-Team Relevance: Exploitable for privilege escalation and lateral movement in domain environments.
• C-Suite Summary: Immediate patching is critical to prevent potential ransomware attacks and data breaches.

---

Critical Remote Code Execution Vulnerability in Veeam Backup & Replication (CVE-2025-23120)

On March 19, 2025, Veeam disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-23120, affecting its widely used Veeam Backup & Replication software. With a CVSS score of 9.9 (CRITICAL), this vulnerability poses a significant risk to organizations relying on Veeam for data backup and recovery. The flaw allows authenticated domain users to execute arbitrary code on affected systems, potentially leading to full system compromise.

C-Suite Summary

CVE-2025-23120 is a critical vulnerability in Veeam Backup & Replication that allows authenticated domain users to execute arbitrary code on affected systems. Given the high likelihood of domain-joined backup servers in enterprise environments, this flaw poses a significant risk of ransomware attacks and data breaches.

Key Actions for Leadership

• Prioritize Patching: Ensure all Veeam Backup & Replication servers are updated to version 12.3.1 immediately.
• Review Domain Configurations: Consider removing backup servers from the domain to reduce attack surface.
• Monitor for Exploitation: Implement robust monitoring to detect any unauthorized access or code execution attempts.

Vulnerability Details

CVE-2025-23120 is a deserialization vulnerability that impacts Veeam Backup & Replication versions 12.3.0.310 and earlier. The issue arises from improper handling of deserialized data, which can be exploited by authenticated users to execute malicious code. Notably, the vulnerability only affects systems where the backup server is joined to an Active Directory (AD) domain, a common configuration in enterprise environments¹².

According to Veeam’s advisory, the flaw was discovered by Piotr Bazydlo of watchTowr Labs, who also provided a detailed technical analysis and proof-of-concept (PoC) exploit code³. The vulnerability is similar to a previously disclosed issue, CVE-2024-40711, which also involved deserialization flaws in Veeam’s software⁴.

Impact and Exploitation

The vulnerability allows any authenticated domain user to execute code with SYSTEM-level privileges on the affected backup server. This makes it particularly dangerous in environments where backup servers are domain-joined, as it can be exploited by any user with domain credentials. Attackers could leverage this flaw to escalate privileges, move laterally within the network, or deploy ransomware⁵.

“Imagine that any employee of your 50,000-person organization can get SYSTEM on your backup server. Kind of scary, right?” — Piotr Bazydlo, watchTowr Labs⁶.

Mitigation and Patching

Veeam has released a patch in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139) to address the vulnerability. Organizations are urged to upgrade to this version immediately, as unsupported versions are also likely vulnerable⁷. The patch not only fixes CVE-2025-23120 but also includes other security improvements and bug fixes⁸.

For organizations unable to patch immediately, Veeam recommends ensuring that backup servers are not joined to the domain, as this significantly reduces the attack surface⁹.

---

Red-Team Relevance

For red teams, CVE-2025-23120 presents a valuable opportunity for privilege escalation and lateral movement within domain environments. Since the vulnerability can be exploited by any authenticated domain user, red teams can use it to gain SYSTEM-level access on backup servers, which are often high-value targets due to their access to sensitive data.

Exploitation Steps:

1. Reconnaissance: Identify domain-joined Veeam Backup & Replication servers.
2. Initial Access: Use compromised domain credentials to authenticate to the target server.
3. Exploitation: Deploy a modified PoC exploit (based on CVE-2024-40711) to execute arbitrary code.
4. Post-Exploitation: Use SYSTEM-level access to pivot to other systems or exfiltrate data.

This vulnerability is particularly useful in ransomware simulations, as backup servers are often targeted by attackers to prevent recovery.

---

Conclusion

CVE-2025-23120 underscores the importance of timely patching and secure configuration practices, especially for critical infrastructure like backup servers. With PoC exploit code already available, organizations must act swiftly to mitigate the risk of exploitation. For red teams, this vulnerability offers a powerful tool for simulating advanced attacks, highlighting the need for robust defenses in enterprise environments.

---

References

1. Veeam Software (March 19, 2025). “KB4724: CVE-2025-23120”. Veeam Knowledge Base.
2. Rapid7 (March 19, 2025). “Critical Veeam Backup & Replication CVE-2025-23120”. Rapid7 Blog.
3. watchTowr Labs (March 20, 2025). “By Executive Order, We Are Banning Blacklists – Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)”. watchTowr Labs.
4. Arctic Wolf (March 21, 2025). “CVE-2025-23120”. Arctic Wolf Blog.
5. NVD (March 20, 2025). “CVE-2025-23120 Detail”. National Vulnerability Database.
6. Veeam Community (March 19, 2025). “CVE-2025-23120 – A vulnerability allowing remote code execution (RCE) by authenticated domain users”. Veeam Community Resource Hub.
7. Help Net Security (March 20, 2025). “Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)”. Help Net Security.
8. COOLSPIRiT (March 21, 2025). “Vulnerability in Veeam Backup & Replication (CVE-2025-23120)”. COOLSPIRiT Blog.
9. Rapid7 (March 11, 2025). “Patch Tuesday – March 2025”. Rapid7 Blog.

---

Metadata

Keywords: CVE-2025-23120, Veeam Backup & Replication, Remote Code Execution, RCE, Active Directory, Privilege Escalation, Red Team, Patch Management, Cybersecurity, Vulnerability Management