A recent security alert has been issued regarding unpatched Veeam Backup & Replication servers that are attached to a production domain, highlighting a “real danger” for users. The vulnerability, known as CVE-2025-23120, allows authenticated domain users to remotely execute code, posing a significant risk to organizations. Veeam has rated this critical vulnerability 9.9 out of 10 on the Common Vulnerability Scoring System scale.
In response to this threat, Veeam has released a patch for the vulnerability in the form of Veeam Backup & Replication 12.3.1. The security alert issued by Veeam indicates that previous versions of the software, including all 12.3 versions and earlier builds, are also affected by the flaw. While there is currently no publicly available proof-of-concept exploit, security experts are advising users to apply the patch immediately to prevent potential exploitation by threat actors, especially ransomware groups.
According to Rapid7, a cybersecurity firm, Veeam Backup & Replication has been a target for hackers in numerous incidents, with over 20% of the incidents responded to by Rapid7 in 2024 involving some form of Veeam exploitation. The firm recommends that Veeam users ensure that their backup servers are not exposed to the internet to mitigate the risk of attacks.
One of the key recommendations to prevent exploitation is to avoid joining the Veeam Backup & Replication system to the same domain as authenticated users. Veeam explicitly advises against this practice, stating that backup servers should not be part of a production domain. Instead, the company recommends adding backup infrastructure components to a separate management domain in a separate Active Directory forest to enhance security.
The vulnerability, discovered by watchTower, was reported to Veeam on February 5, and the vendor promptly acknowledged the issue and prepared a fix. The patch was released on March 10, addressing the deserialization vulnerability that could allow attackers to execute malicious code on vulnerable servers.
Security researchers have highlighted the underlying issue with how Veeam Backup & Replication handles deserialization, exposing internal deserialization capabilities that could be abused by attackers. Veeam’s use of a custom formatter to protect against unsafe deserialization is commended, but the broad whitelist mechanism poses challenges, as it may still allow for potentially malicious impacts.
Despite assigning a single CVE to the vulnerability, researchers warn that the full scope of the risk posed by the deserialization vulnerability may not be fully captured. With the potential for new deserialization gadgets to be discovered, the researchers emphasize the importance of ongoing vigilance and patching to secure Veeam environments against potential exploits.
In conclusion, the alert for unpatched Veeam servers attached to production domains highlights the critical need for organizations to apply security patches promptly and follow best practices to mitigate the risk of exploitation. As threat actors continue to target backup tools and popular software like Veeam, staying informed and proactive in addressing vulnerabilities is crucial to safeguarding critical data and systems.