Veeam issues critical security patch for backup and replication software

'Any user’ could exploit the weakness

Veeam has released a crucial security update to address a remote code execution (RCE) vulnerability affecting its Backup and Replication software.

The flaw, identified as CVE-2025-23120, has been assigned a CVSS severity score of 9.9 out of 10 and impacts version 12.3.0.310, as well as all earlier builds of version 12, according to The Hacker News.

The vulnerability, first flagged by security researcher Piotr Bazydlo of watchTowr, enables authenticated domain users to execute arbitrary code on affected systems. Veeam has resolved the issue in version 12.3.1 (build 12.3.1.1139), released in its latest advisory.

Research by Bazydlo and fellow cybersecurity expert Sina Kheirkhah suggests that the flaw arises from Veeam’s deserialisation mechanism, which inconsistently enforces security restrictions. Attackers can exploit this by leveraging a deserialisation gadget not originally included in the company’s blocklist.

The researchers identified Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary as two such overlooked components that can be used to execute arbitrary code remotely.

The researchers warned that any user in the local users group on a Windows-based Veeam server could exploit this weakness. If the server is linked to a domain, the risk extends to “any domain user.”

Veeam’s patch updates the blocklist to include these vulnerable components, but experts caution that similar threats could arise in the future if other exploitable gadgets remain undetected.

IBM joins patch parade

The update from Veeam coincides with IBM’s disclosure of two critical vulnerabilities in its AIX operating system, which could allow remote attackers to execute commands. These flaws impact AIX versions 7.2 and 7.3:

  1. CVE-2024-56346 (CVSS 10.0): A flaw in the AIX nimesis NIM master service that permits unauthorised command execution.
  2. CVE-2024-56347 (CVSS 9.6): A vulnerability in the AIX nimsh service’s SSL/TLS protection mechanism that could also lead to remote command execution.

Although there is currently no indication that these vulnerabilities have been actively exploited, organisations are urged to apply the relevant patches as soon as possible to mitigate potential risks.