cbcvebase.
CVE-2025-23120
published 2025-03-20

CVE-2025-23120: A vulnerability allowing remote code execution (RCE) for domain users.

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.34%
96.9th percentile
A vulnerability allowing remote code execution (RCE) for domain users.

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_recovery12.3 – 12.3
veeamveeam_backup_replication>= 12.0.0.1402 < 12.3.1.113912.3.1.1139

Detection & IOCsextracted from sources · hover to see the quote

otherVeeam.Backup.EsxManager.xmlFrameworkDs
otherVeeam.Backup.Core.BackupSummary
  • CVE-2025-23120 exploits a deserialization gadget chain via the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes that were not included in Veeam's deserialization blacklist — monitor for deserialization of these class names in Veeam Backup & Replication network traffic or logs.
  • The vulnerability is only exploitable on domain-joined Veeam Backup & Replication installations; alert on any domain user authenticating to VBR and triggering deserialization-related code paths.
  • Veeam's blacklist-based deserialization defense was bypassed by finding a new gadget chain not on the blacklist; detection should look for serialized .NET objects referencing Veeam.Backup.EsxManager or Veeam.Backup.Core namespaces in inbound requests to VBR.
  • Affected versions are Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds; flag any unpatched VBR instances (pre-build 12.3.1.1139) exposed to domain-authenticated users.
  • Rockwell Automation Lifecycle Services products using Veeam (Industrial Data Center generations 1–5 and VersaVirtual Appliance series A–C) are also affected; include these in asset scope for detection and patching.
  • ·The vulnerability only affects Veeam Backup & Replication installations that are joined to a Windows domain; standalone (non-domain-joined) deployments are not vulnerable.
  • ·Veeam's blacklist-based deserialization mitigation approach is insufficient; the bypass demonstrates that blacklists alone do not prevent exploitation of new gadget chains.
  • ·No known public exploitation of CVE-2025-23120 had been reported to CISA at time of advisory publication, but watchTowr's technical disclosure makes a PoC likely.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.