CVE-2025-23120

Name of the Vulnerable Software and Affected Versions Veeam Backup & Replication versions prior to 12.3.1

Description A deserialization flaw exists in Veeam Backup & Replication, where the application improperly handles serialized data. This allows an authenticated domain user or a member of the local Users group to inject malicious objects or gadgets to execute arbitrary code remotely with SYSTEM-level access. The issue is specifically tied to the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary classes. This flaw stems from the use of blacklist-based protection mechanisms, which failed to block certain gadget chains. This issue only impacts installations that are joined to an Active Directory domain.

Recommendations Upgrade to version 12.3.1 (build 12.3.1.1139). Disconnect the backup server from the domain to align with security best practices.