Critical VEEAM Backup & Replication Vulnerability Patched

Summary

In recent months, the Ankura Incident Response (IR) and Cyber Threat Investigations & Expert Services (CTIX) teams have uncovered a series of incidents where client organizations have fallen victim to ransomware and double extortion attacks stemming from the exploitation of unpatched VEEAM server vulnerabilities. Veeam has disclosed and patched a critical remote code execution (RCE) vulnerability in its Backup & Replication software, urging customers to update immediately to version 12.3.1 (build 12.3.1.1139) to mitigate the risk. The flaw, tracked as CVE-2025-23120 (CVSS 9.9/10), stems from insecure deserialization mechanisms, affecting all supported versions (12, 12.1, 12.2, and 12.3), with older, unsupported versions also likely vulnerable. 

While there are no known active exploits, attackers could modify existing proof-of-concept (PoC) code from a previous vulnerability (CVE-2024-40711) to exploit this issue. The vulnerability specifically impacts domain-joined backup servers, which Veeam warns against using for security reasons, though they remain very common in enterprise environments. Exploitation requires authentication, but experts caution that this requirement is weak, potentially allowing any authenticated domain user to gain SYSTEM privileges on a backup server. 

Given that backup solutions are frequently targeted by ransomware groups and that Veeam Backup & Replication vulnerabilities have been exploited in the past, CTIX analysts emphasize that organizations should patch immediately rather than wait for routine update cycles. Additionally, with more than 20% of Rapid7’s 2024 incident response cases involving Veeam-related compromises, security professionals stress the importance of securing backup systems against internal threats.

Veeam Backup & Replication Critical Vulnerability (CVE-2025-23120)

Vulnerability Details

• A critical remote code execution (RCE) vulnerability (CVE-2025-23120, CVSS 9.9/10) affects Veeam Backup & Replication.
• The flaw stems from insecure deserialization mechanisms, similar to past vulnerabilities (CVE-2024-40711 and CVE-2024-42455).
• It allows authenticated domain users to execute arbitrary code remotely.

Affected Versions & Exploitation Risk

• Impacts all supported versions (12, 12.1, 12.2, and 12.3), with unsupported versions likely vulnerable.
• Requires authentication, but security researchers warn that this requirement is weak.
• Specifically affects domain-joined backup servers, a configuration Veeam advises against but remains common.

Research & Exploitability

• Reported by cybersecurity firm watchTowr and researcher Piotr Bazydlo.
• While no public proof-of-concept (PoC) exploit is currently available, attackers could modify PoC code from CVE-2024-40711 to exploit this flaw.
• Backup servers are prime targets for ransomware groups and internal attackers.

Mitigations and Recommendations

1. Immediate Patch Deployment

• Update to Veeam Backup & Replication version 12.3.1 (build 12.3.1.1139) as soon as possible.
• Do not wait for a regular patch cycle as this vulnerability is critical, and delays will increase risk.
• Ensure all affected servers and instances are updated, including those in isolated or test environments.

2. Restrict Access to Backup Servers

• Avoid domain-joined configurations for Veeam Backup & Replication servers, as this vulnerability specifically targets them.
• Enforce the principle of least privileged access to backup servers, limiting exposure to necessary users only.
• Regularly audit user accounts and privileges, revoking unnecessary access.

3. Strengthen Authentication and Network Security

• Enable multi-factor authentication (MFA) wherever possible to prevent unauthorized logins.
• Restrict network access to Veeam servers using firewall rules and network segmentation (i.e. only allow access from trusted IPs).
• Disable unused services and protocols on backup servers to minimize the attack surface.

4. Monitor for Suspicious Activity

• Implement log monitoring and alerting for unusual login attempts, privilege escalations, or abnormal data access on Veeam servers.
• Use endpoint detection and response (EDR) tools to detect potential exploitation attempts.
• Check for indicators of compromise (IoCs) related to past Veeam exploits, including CVE-2024-40711 and CVE-2024-42455.

5. Secure Backups Against Ransomware Attacks

• Ensure backups are encrypted, offline, or air-gapped to prevent attackers from modifying or deleting them.
• Implement immutable backups, which cannot be altered or removed once written.
• Regularly test and validate backup integrity to confirm recoverability in case of an attack.

6. Stay Informed and Proactive

• Follow Veeam security advisories for further updates or potential mitigations.
• Subscribe to security feeds from cybersecurity firms like Ankura’s bi-weekly CTIX FLASH Update newsletter. 
• Conduct regular penetration testing and vulnerability assessments to identify misconfigurations or security gaps.

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

^{© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}