Logic scanner now available! Try it out
Back
CVE Analysis - 7 min read

Exploiting Trust: Inside CVE-2025-23120 Veeam Backup & Replication RCE Vulnerability

An in-depth technical breakdown of CVE-2025-23120, a critical remote code execution vulnerability affecting Veeam Backup & Replication, including exploitation methods, detection strategies, and immediate patching guidance.

ZeroPath Security Research

ZeroPath Security Research

2025-03-20
Exploiting Trust: Inside CVE-2025-23120 Veeam Backup & Replication RCE Vulnerability

Exploiting Trust: Inside CVE-2025-23120 Veeam Backup & Replication RCE Vulnerability

Introduction

Enterprise backup solutions are the last line of defense against ransomware attacks. CVE-2025-23120, a critical remote code execution vulnerability in Veeam Backup & Replication, threatens this critical infrastructure. With a CVSS score of 9.9, this flaw allows authenticated domain users to execute arbitrary code, potentially enabling devastating ransomware attacks.

Affected Systems and Versions

  • Product: Veeam Backup & Replication
  • Affected Versions: All builds of version 12.x up to and including 12.3.0.310
  • Configurations: Domain-joined backup servers

Technical Deep Dive

The vulnerability stems from insecure deserialization within Veeam's .NET Remoting interface. Specifically, the classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary were not properly blocklisted, allowing attackers to exploit gadget chains for remote code execution.

Root Cause

The issue arises from the deserialization mechanism, where the class CDbCryptoKeyInfo permits inner deserialization based on a blocklist approach. The absence of critical entries in this blocklist allows attackers to craft malicious payloads exploiting the vulnerable classes.

Attack Vector

  • Authentication Required: Yes (domain user credentials)
  • Network Port: TCP/9401 (.NET Remoting Channel)
  • Configuration Dependency: Domain-joined backup servers

Proof of Concept

A detailed proof-of-concept exploit has been documented by watchTowr Labs. It demonstrates exploitation via crafted payloads targeting the vulnerable deserialization mechanism. However, the exact exploit code is not publicly available at this time.

Patch Information

  • Patched Version: Veeam Backup & Replication 12.3.1.1139
  • Patch Steps:
    1. Download the latest patch from Veeam KB4724.
    2. Apply the patch following Veeam's official upgrade instructions.
    3. Verify successful patching by checking the build number (12.3.1.1139).

Alternative Mitigations

  • Remove backup servers from Active Directory domains.
  • Restrict network access to TCP port 9401.

Detection Methods

  • Network Monitoring: Monitor traffic on TCP port 9401 for unusual activity.
  • Process Monitoring: Look for unexpected execution of cmd.exe or powershell.exe on backup servers.
  • Log Analysis: Audit logs for unauthorized access attempts or anomalous deserialization errors.

Vendor Security History

Veeam has previously faced critical vulnerabilities, including CVE-2023-27532, actively exploited by ransomware groups. Rapid7 reports over 20% of their 2024 incident responses involved Veeam compromises, underscoring the importance of rapid patch deployment and adherence to security best practices.

References

Security teams must act swiftly to secure their backup infrastructure against this critical vulnerability.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo