Researchers stress caution as Veeam addresses a severe vulnerability through a patch release
In the realm of data management, security is paramount. This is especially true for tools like Veeam Backup & Replication, a popular choice for backing up, replicating, and restoring company data. Recently, a series of significant vulnerabilities have been discovered in this software, the latest being CVE-2025-23121.
CVE-2025-23121: A deserialization flaw allowing authenticated domain users to execute arbitrary code on Backup & Replication servers. This critical vulnerability, with a CVSS score of 9.9, is considered a bypass of a previous patch (CVE-2025-23120).
Veeam has promptly addressed these vulnerabilities through security patches and hotfixes. For instance, an August 2025 hotfix was released specifically for CVE-2025-23120. Earlier, in 2024, Veeam patched 18 high and critical vulnerabilities across its Backup & Replication, Service Provider Console, and ONE products. The most severe was CVE-2024-40711, a remote code execution vulnerability with a CVSS score of 9.8.
It's essential for Veeam users to ensure they are using the latest versions of all software and that patches are installed in a timely manner. This is particularly important given that ransomware groups have frequently targeted vulnerabilities in Veeam's product.
While Veeam has taken steps to mitigate these vulnerabilities, there are still risks associated with the use of domain-joined backup servers. These servers, often used for efficiency purposes, can be a target for abuse. Veeam advises against using domain-joined backup servers due to potential risks.
Researchers at watchTowr and Code White GmbH have highlighted that the vulnerability (CVE-2025-23121) is a continuation of a previous vulnerability (CVE-2025-23120) that could be bypassed. In response, Veeam uses a function to process data that is known to be inherently insecure. Instead of removing this function, Veeam maintains a list of "bad gadgets" that should not be allowed to be processed within this function.
However, watchTowr CEO Benjamin Harris has noted that a blacklisting approach is not sufficient to address such vulnerabilities. Harris also pointed out that Veeam updates a blacklist of "dangerous deserialization gadgets" after they have been reported. In March, watchTowr demonstrated this again when they reported further gadgets to Veeam.
With a customer base of over 550,000 users, it's crucial that Veeam users prioritise updating to the latest version following a patch release. This is especially important given that more than 20% of Rapid7's incident response cases in 2024 involved Veeam being accessed or exploited.
Attackers may still attempt to exploit and reverse-engineer patches for unpatched versions of Veeam software. Therefore, it's essential to stay vigilant and keep your software updated. Veeam continues to emphasise a security architecture that includes zero trust principles, immutable backups, and secure handling of encryption keys and credentials as foundational defenses against exploitation and ransomware threats.
- In the realm of technology, privacy concerns are heightened, especially when it comes to software like Veeam Backup & Replication, used for backing up, replicating, and restoring company data.
- A recent incident response focused on vulnerabilities in Veeam's software, such as CVE-2025-23121, which allows authenticated domain users to execute arbitrary code on Backup & Replication servers.
- The cybersecurity industry is keenly aware of the targeting of vulnerabilities in Veeam's products by ransomware groups, making it crucial for users to ensure they are using the latest versions and installing patches promptly.
- Despite Veeam's efforts to address these vulnerabilities through security patches and hotfixes, there are still concerns about the use of domain-joined backup servers, particularly due to the potential risks they pose.
