Veeam has urgently patched a critical vulnerability, tracked as CVE-2025-23120, in its Backup & Replication software, which allows remote code execution (RCE) for authenticated domain users. Discovered by Piotr Bazydlo, the flaw arises from inconsistent deserialization handling. It affects version 12.3.0.310 and earlier builds, scoring 9.9/10 on the CVSS scale. The patch, introduced in version 12.3.1, adds necessary gadgets to the blocklist, but concerns remain regarding potential future risks if new vulnerabilities are identified.
A vulnerability allowing remote code execution (RCE) by authenticated domain users was identified in Veeam's Backup & Replication software, necessitating urgent security updates.
The flaw, discovered by security researcher Piotr Bazydlo, pertains to inconsistent deserialization handling, allowing exploitation by any user in the local users group.
Collection
[
|
...
]