Veeam Patches CVE-2025-23121: Critical RCE Bug in Backup & Replication

Veeam, a prominent data backup and disaster recovery solution provider, has recently addressed a critical security vulnerability in its Backup and Replication software. The flaw, CVE-2025-23121, poses a significant risk as it could allow remote code execution (RCE) on affected systems. With a near-maximum CVSS score of 9.9, this vulnerability demands immediate attention and patching.

Vulnerability Details

The root cause of CVE-2025-23121 lies in uncontrolled deserialization vulnerabilities associated with BinaryFormatter, a deprecated component that Microsoft has explicitly warned against using for deserializing data. According to Microsoft, BinaryFormatter cannot be made secure.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under certain conditions, emphasizing the critical need for immediate patching.

Proof of Concept (PoC)

Although no public proof-of-concept exploit has been released yet, security researchers have demonstrated that the patch for a similar vulnerability, CVE-2025-23120, could be bypassed, leading to the discovery of CVE-2025-23121. This highlights the challenges in entirely eradicating vulnerabilities related to BinaryFormatter.

Impact & Exploit Potential

The impact of CVE-2025-23121 is substantial, primarily because Veeam Backup & Replication is a frequent target for ransomware groups. Successful exploitation could lead to:

  • Remote code execution on the backup server.
  • Compromise of backup data, leading to data loss or encryption.
  • Potential for lateral movement within the network.

Real World Observations

It was found that more than 20% of its incident response cases in 2024 involved either the access or exploitation of Veeam, once a threat actor had already established a foothold in the target environment.

With security flaws in Veeam backup software becoming a prime target for attackers in recent years, it’s crucial to immediately update to the latest version.

Tactics, Techniques, and Procedures (TTPs)

Attackers actively exploit Veeam Backup & Replication vulnerabilities in their attack chains. Key MITRE ATT&CK TTPs observed include:

  • TA0001 – Initial Access: Attackers exploit public-facing applications to gain an initial foothold.
  • TA0002 – Execution: Exploit client-side vulnerabilities to execute arbitrary code.
  • T1190 – Exploit Public-Facing Application: Leverage vulnerabilities in public-facing applications to gain access to the system.
  • T1203 – Exploitation for Client Execution: Exploit vulnerabilities in client-side applications to execute malicious code.

Affected Products

The vulnerability impacts the following products and versions:

  • Veeam Backup & Replication version 12 builds (including 12.3.1.1139)

Mitigation & Recommendations

To mitigate the risk posed by CVE-2025-23121, Veeam has released patched versions of its software. It is crucial to take the following actions:

  • Update Veeam Backup & Replication to version 12.3.2 (build 12.3.2.3617).

Organizations are advised to apply these updates immediately to protect their systems from potential exploitation.

Additional Vulnerabilities Addressed

In addition to CVE-2025-23121, Veeam has also addressed the following vulnerabilities:

  • CVE-2025-24286 (CVSS score: 7.2): An authenticated user with the Backup Operator role could modify backup jobs, leading to arbitrary code execution.
  • CVE-2025-24287 (CVSS score: 6.1): Local system users could modify directory contents, allowing for arbitrary code execution with elevated permissions.

These vulnerabilities have been patched in Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205), respectively.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.