CVE-2025-23120
published 2025-03-20CVE-2025-23120: A vulnerability allowing remote code execution (RCE) for domain users.
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.34%
96.9th percentile
A vulnerability allowing remote code execution (RCE) for domain users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | backup_and_recovery | 12.3 – 12.3 | — |
| veeam | veeam_backup_replication | >= 12.0.0.1402 < 12.3.1.1139 | 12.3.1.1139 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-23120 exploits a deserialization gadget chain via the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes that were not included in Veeam's deserialization blacklist — monitor for deserialization of these class names in Veeam Backup & Replication network traffic or logs. ↗
- →The vulnerability is only exploitable on domain-joined Veeam Backup & Replication installations; alert on any domain user authenticating to VBR and triggering deserialization-related code paths. ↗
- →Veeam's blacklist-based deserialization defense was bypassed by finding a new gadget chain not on the blacklist; detection should look for serialized .NET objects referencing Veeam.Backup.EsxManager or Veeam.Backup.Core namespaces in inbound requests to VBR. ↗
- →Affected versions are Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds; flag any unpatched VBR instances (pre-build 12.3.1.1139) exposed to domain-authenticated users. ↗
- →Rockwell Automation Lifecycle Services products using Veeam (Industrial Data Center generations 1–5 and VersaVirtual Appliance series A–C) are also affected; include these in asset scope for detection and patching. ↗
- ·The vulnerability only affects Veeam Backup & Replication installations that are joined to a Windows domain; standalone (non-domain-joined) deployments are not vulnerable. ↗
- ·Veeam's blacklist-based deserialization mitigation approach is insufficient; the bypass demonstrates that blacklists alone do not prevent exploitation of new gadget chains. ↗
- ·No known public exploitation of CVE-2025-23120 had been reported to CISA at time of advisory publication, but watchTowr's technical disclosure makes a PoC likely. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74rc-h3mh-g8wh: A vulnerability allowing remote code execution (RCE) for domain users
ghsa_unreviewed·2025-03-20
CVE-2025-23120 [CRITICAL] CWE-502 GHSA-74rc-h3mh-g8wh: A vulnerability allowing remote code execution (RCE) for domain users
A vulnerability allowing remote code execution (RCE) for domain users.
CISA ICS
Rockwell Automation Lifecycle Services with Veeam Backup and Replication
cisa_ics·2025-04-01·CVSS 8.8
[HIGH] Rockwell Automation Lifecycle Services with Veeam Backup and Replication
ICS Advisory
##
Rockwell Automation Lifecycle Services with Veeam Backup and Replication
Release DateApril 01, 2025
Alert CodeICSA-25-091-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Lifecycle Services with Veeam Backup and Replication
- Vulnerability: Deserialization of Untrusted Data
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with administrative privileges to execute code on the target system.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following Lifecycle Services with Veeam
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New Veeam RCE flaw lets domain users hack backup servers
blogs_bleepingcomputer·2025-06-17·CVSS 9.8
CVE-2025-23121 [CRITICAL] New Veeam RCE flaw lets domain users hack backup servers
## New Veeam RCE flaw lets domain users hack backup servers
## Sergiu Gatlan
Veeam has released security updates today to fix several Veeam Backup & Replication (VBR) flaws, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-23121, this security flaw was reported by security researchers at watchTowr and CodeWhite, and it only impacts domain-joined installations.
As Veeam explained in a Tuesday security advisory, the vulnerability can be exploited by authenticated domain users in low-complexity attacks to gain code execution remotely on the Backup Server. This flaw affects Veeam Backup & Replication 12 or later, and it was fixed in version 12.3.2.3617, which was released earlier today.
While CVE-2025-23121 only impacts VBR installations joined to a dom
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
31st March – Threat Intelligence Report
blogs_checkpoint·2025-04-01
CVE-2025-2783 31st March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
New York University (NYU) suffered a cyber-attack which resulted in the exposure of over 3 million applicants’ data, including names, test scores, majors, and zip codes. The hacker redirected NYU’s website to display this information, alleging the university’s continued use of race-sensitive admissions policies despite the Su
Checkpoint
24th March – Threat Intelligence Report
blogs_checkpoint·2025-03-24
CVE-2024-48248 24th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while Strafford County, Pelham School District, and Derby Police Department also reported servi
Bleepingcomputer
Veeam RCE bug lets domain users hack backup servers, patch now
blogs_bleepingcomputer·2025-03-20·CVSS 8.8
CVE-2025-23120 [HIGH] Veeam RCE bug lets domain users hack backup servers, patch now
## Veeam RCE bug lets domain users hack backup servers, patch now
## Lawrence Abrams
Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.
According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025-23120 is a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes.
A deserialization flaw is when an application improperly processes serialized data, allowing attackers
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-03-20
Published