Attackers can inject malicious code into Veeam Backup & Replication

If systems with the backup solution Veeam Backup & Replication are part of a domain, attackers can exploit a critical vulnerability and compromise computers. A version secured against this is available for download.

In a warning message, the developers state that all versions up to and including 12.3.0.310 are affected. Version 12.3.1 (build 12.3.1.1139) should be protected. If admins are unable to install the update immediately, they must temporarily equip systems against attacks with a hotfix. However, this only works if no other hotfixes are installed. So far there have been no reports of attacks.

Effects of attacks

The now closed vulnerability (CVE-2025-23120) is classified as "critical". This is a deserialization vulnerability in the context of the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary classes. Such vulnerabilities lead to errors in the deserialization of data, allowing attackers to inject malicious code. In this case, this is even possible remotely, which exacerbates the situation.

In September 2024, the developers closed a similar vulnerability in Veeam Backup & Replication. To do so, they introduced a blacklist with possible points of attack consisting of various classes and objects. However, this list is obviously incomplete, as security researchers now explain in a report on the current vulnerability.

Attacks may be imminent

They show how an attack could take place. Before attackers are inspired by this, admins should secure their systems promptly. Veeam's backup solution is a popular target for ransomware gangs.

The security researchers conclude their report by saying that a blacklist makes little sense in this context and should be "illegal". After all, it is basically impossible to keep such a list up to date and comprehensive at all times.

(des)