Veeam’s Bug Blunder: How to Lose Friends and Annoy Researchers in One Patch

Veeam patches a critical RCE bug, CVE-2025-23120, but faces backlash for its vulnerability handling. Researchers criticize its blacklist approach, noting that any domain user can exploit the flaw if Active Directory isn’t hardened. Veeam claims domain-joining goes against best practices, but few seem aware.

3P
Published: March 20, 2025 6:44 pmAdded: March 20, 2025 at 12:06 pmAssembled by: The Editor
Pro Dashboard

Key Points:

  • Veeam patched a critical remote code execution bug (CVE-2025-23120) in their Backup and Replication software but faces criticism for handling deserialization vulnerabilities poorly.
  • The vulnerability affects version 12.3.0.310 and earlier, and requires only minimal authentication—any domain user can exploit it.
  • Researchers criticize Veeam’s blocklist-based approach to deserialization vulnerabilities and recommend using a whitelist instead.
  • Veeam is scolded for assigning only one CVE identity despite discovering multiple exploitable gadgets.
  • Ransomware groups frequently target Veeam, and 20% of Rapid7’s incident responses in 2024 involved Veeam exploitation.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?