On 19 March 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software. The advisory did not provide technical details regarding the vulnerability, although it did mention that it could be exploited by authenticated domain users.
On 20 March 2025, watchTowr Labs released a technical report detailing the vulnerability and providing proof-of-concept (PoC) exploit code. In the report, watchTowr specified that the vulnerability can be exploited by any user that belongs to the same local users group as the Windows device hosting a Veeam server. Additionally, if the server has been joined to an Active Directory (AD) domain, any domain user can exploit the vulnerability. They state that CVE-2025-23120 is very similar to a previous vulnerability, CVE-2024-40711, a deserialisation of untrusted data vulnerability with a malicious payload which can allow for RCE in Veeam Backup & Replication. The PoC provided in the article uses an exploit for CVE-2024-40711 with slight alterations to update it for CVE-2025-23120.
Historically Veeam Backup & Replication has been a frequent target for ransomware groups due to its critical role in backup and recovery. Arctic Wolf previously reported Veeam addressing multiple vulnerabilities in a September 2024 security bulletin.
Recommendation for CVE-2025-23120
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of Veeam Backup & Replication.
| Product | Affected Version | Fixed Version |
| Veeam Backup & Replication | 12.3.0.310 and all earlier version 12 builds | 12.3.1 (build 12.3.1.1139) |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
