Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution
A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures.
About CVE-2025-23120
The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE).
This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is not recommended by Veeam.
The vulnerability has been given a CVSS v3.1 score of 9.9, classifying it as critical.
Security Risks
Exploitation of this vulnerability can allow:
• Unauthorized access to backup management interfaces
• Execution of arbitrary code with system privileges
• Theft or destruction of sensitive backup data
• Bypass of backup integrity mechanisms and potential ransomware delivery
Since backup systems are central to organizational disaster recovery plans, any compromise can result in devastating consequences, including operational shutdowns and regulatory non-compliance.
Recommended Actions
To mitigate the vulnerability, Veeam has issued security patches and advisories. Organizations should take the following steps immediately:
1. Upgrade to the patched version of Veeam Backup & Replication as outlined in the security advisory.
2. Avoid domain-joined deployments where possible, following Veeam’s best practice configurations.
3. Restrict access to Veeam services using firewalls, role-based access control, and strong authentication.
4. Enable security monitoring and review system logs for suspicious activities.
Official Resources and References
• Veeam Security Advisory – CVE-2025-23120
• SOCRadar Security Analysis:
“Veeam CVE-2025-23120: Remote Code Execution”
• National Vulnerability Database (NVD):
CVE-2025-23120 Entry (to be updated as published by NIST)
• Veeam Official Blog: