CVE-2025-23120
Published: 20 March 2025
Summary
CVE-2025-23120 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23120 is a remote code execution vulnerability stemming from unsafe deserialization of untrusted data (CWE-502) that affects Veeam Backup & Replication. The flaw carries a CVSS 3.1 score of 8.8 and permits domain-authenticated attackers to achieve full compromise of confidentiality, integrity, and availability over the network without user interaction.
Domain users with network access can exploit the issue to execute arbitrary code on affected Veeam servers. Successful exploitation grants attackers the ability to run commands at the privileges of the Veeam service account, enabling lateral movement, data exfiltration, or deployment of ransomware within the backup infrastructure.
The primary vendor advisory is available at veeam.com/kb4724, with additional technical analysis published by watchTowr Labs. The current EPSS score of 0.4132 matches the observed peak, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7177
Vulnerability details
A vulnerability allowing remote code execution (RCE) for domain users.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code execution vulnerability in Veeam Backup & Replication exploitable over the network by authenticated domain users via deserialization, directly mapping to Exploitation of Remote Services (T1210) and enabling arbitrary code execution via Command and Scripting Interpreter (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely remediation through application of Veeam patches for the deserialization flaw.
Addresses the CWE-502 deserialization of untrusted data by enforcing validation and sanitization of inputs processed by Veeam Backup & Replication.
Mitigates RCE exploitation impact through memory protections like ASLR and DEP, hindering arbitrary code execution even if deserialization succeeds.