Data resilience solutions provider Veeam Software released a critical patch for its Veeam Backup & Replication product. The update fixes a deserialization issue that can result in remote code execution as the SYSTEM user on the underlying Windows server.
The issue can be exploited by any authenticated account that’s part of the local users group on the Windows host, but Veeam servers joined to an Active Directory domain are at much higher risk because in default configurations the domain users group is added to the local users group on domain-joined computers. This means that if attackers manage to execute malicious code on any Windows computer on the network – a common occurrence – they can easily use that computer’s active account to exploit this vulnerability on the Veeam Backup & Replication server if it’s joined to the same AD domain.
Despite this issue being assigned a single CVE identifier, CVE-2025-23120, researchers from security firm watchTowr argue that it is actually two vulnerabilities, because there are two distinct avenues to exploit the problem.
Veeam advises users to upgrade to Veeam Backup & Replication 12.3.1 or install the hotfix for version 12.3 if an upgrade cannot be performed immediately. The hotfix only works on deployments that haven’t had other hotfixes applied previously because it might replace them.
New Veeam flaw comes from previous incomplete patch
The new deserialization problems discovered by watchTowr stem from an incomplete patch for an older flaw patched in 2024 as CVE-2024-40711 and which was later exploited by two ransomware gangs. In fact, the Veeam Backup & Replication product has been a target for ransomware gangs and other cybercriminal groups several times since 2023.
Serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. The deserialization of input from untrusted sources has been the cause of many remote code execution vulnerabilities in a variety of programming languages.
Why black lists are bad
Application developers have gotten in the habit of mitigating deserialization risks by creating blacklists of classes that could be dangerous when deserialized, and as watchTowr explains, this was also Veeam’s approach when addressing CVE-2024-40711. However, history has shown that blacklists are rarely complete.
“Blacklists (also known as block-lists or deny-lists) are based on a very optimistic (and provably flawed) idea that we can just make a list of all the bad classes, and we just keep a record of everything bad that can be done and update our list as and when new bad is introduced,” the researchers wrote.
“Luckily, as an industry, we actually already have a list of all the bad classes in the world, and so this is flawless logic. There are a couple of bitter truths though: This is a lie. While we can agree that nowadays it’s extremely hard to find new deserialization gadgets in programming languages and frameworks (although still possible), products have their own codebase and can contain abusable classes that can be misused during deserialization,” the researchers added. “This is before we even get on to 3rd party libraries.”
Veeam Backup & Replication developers maintain a list of gadgets that are blocked from being deserialized via .NET BinaryFormatter. This list is located in the code at Veeam.Backup.Common.Sources.System.IO.BinaryFormatter.blacklist.txt so when CVE-2024-40711 was discovered, their fix was to add the System.Runtime.Remoting.ObjRef gadget to it.
Problem solved, until watchTowr researcher Sina Kheirkhah found more exploitable classes, System.CodeDom.Compiler.TempFileCollection and System.IO.DirectoryInfo, resulting in vulnerability CVE-2024-42455. These too were added to the blacklist.
Now, watchTowr researcher Piotr Bazydlo found additional exploitable gadgets once again Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary, both of which extend the DataSet class, a very popular RCE gadged for deserialization. This is the new CVE-2025-23120 flaw patched Wednesday.
In fact, exploiting CVE-2025-23120 only requires simple changes to the proof-of-concept exploit previously published for CVE-2024-42455.
“We hope that we have provided yet another proof that protection of deserialization sinks with a blacklist should be illegal,” the researchers wrote. “No matter how perfect, or ‘perfecteder’ and state-of-the-art your list is, somebody will eventually find a way to abuse it.”