Last updated at Fri, 28 Mar 2025 20:34:27 GMT
Update Friday, March 28, 2025: Security researchers at CODE WHITE GmbH have noted on social media that it is possible to bypass the patch for CVE-2025-23120. Rapid7 has not directly confirmed the patch bypass, but we are relatively confident in the validity of the finding. Customers should ensure Veeam Backup & Replication is not internet-facing as an urgent priority.
On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration.
Veeam’s advisory indicates that the vulnerability is authenticated, though the CVSS score for CVE-2025-23120 is listed as 9.9. The advisory itself states that “authenticated domain users” can exploit the vulnerability but says little else — it’s possible that additional exploitation criteria will be published later on. According to Veeam, all supported versions of Backup & Replication are affected.
Note: No public proof-of-concept exploit was available at the time of this blog’s publication, but technical details (including exploit development guidance) have been released by WatchTowr Labs as of March 20, 2025.
Veeam Backup & Replication has a very large deployment footprint, and backup solutions are commonly targeted by threat actors. Veeam Backup & Replication should not be exposed to the internet and makes for a more effective internal attack vector than an external vector. Still, plenty of previous Veeam Backup & Replication vulnerabilities have been exploited in the wild, including by ransomware groups.
As we have mentioned previously, more than 20% of Rapid7 incident response cases in 2024 involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.
Mitigation guidance
Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds are vulnerable to CVE-2025-23120, per the vendor advisory.
Customers should update to the latest version of the software (12.3 build 12.3.1.1139) immediately, without waiting for a regular patch cycle to occur. Per the vendor, unsupported software versions were not tested but should be considered vulnerable. Note: On Friday, March 28, third-party security posted on social media that the patch is able to be bypassed; there have been no vendor communications about this issue as of 4:30 PM ET. Customers should ensure that Veeam Backup & Replication is not exposed to the public internet.
Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to CVE-2025-23120 with a vulnerability check available in the March 20, 2025 content release.
