CVE-2025-23120
Published: 20 March 2025
Summary
CVE-2025-23120 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring timely remediation through application of Veeam patches for the deserialization flaw.
Addresses the CWE-502 deserialization of untrusted data by enforcing validation and sanitization of inputs processed by Veeam Backup & Replication.
Mitigates RCE exploitation impact through memory protections like ASLR and DEP, hindering arbitrary code execution even if deserialization succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code execution vulnerability in Veeam Backup & Replication exploitable over the network by authenticated domain users via deserialization, directly mapping to Exploitation of Remote Services (T1210) and enabling arbitrary code execution via Command and Scripting Interpreter (T1059).
NVD Description
A vulnerability allowing remote code execution (RCE) for domain users.
Deeper analysisAI
CVE-2025-23120 is a remote code execution (RCE) vulnerability affecting Veeam Backup & Replication. Classified under CWE-502 (Deserialization of Untrusted Data), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2025-03-20 and enables domain users to execute arbitrary code remotely.
The vulnerability can be exploited by authenticated domain users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), allowing attackers to achieve RCE within the unchanged security scope (S:U).
Mitigation details are available in the official Veeam knowledge base article at https://www.veeam.com/kb4724 and the Watchtower Labs analysis at https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/, which cover patches and remediation guidance.
Details
- CWE(s)