Veeam has released patches for a critical-severity remote code execution vulnerability in Backup & Replication.
March 20, 2025 By Ionut Arghire
Backup, recovery, and data protection firm Veeam on Wednesday announced patches for a critical-severity vulnerability in its Backup & Replication product that could allow attackers to execute arbitrary code remotely.
In a scarce advisory, Veeam notes that the security defect, tracked as CVE-2025-23120 (CVSS score of 9.9), could allow for “remote code execution (RCE) by authenticated domain users”, and that Backup & Replication version 12.3.0.310 and previous version 12 builds are affected.
The company recommends updating to Backup & Replication version 12.3.1 (build 12.3.1.1139), which includes patches for the flaw.
According to cybersecurity firm watchTowr, which was credited for reporting the vulnerability, CVE-2025-23120 is rooted in a broader issue within Veeam’s deserialization mechanism, which the company has failed to properly address.
