Veeam Backup & Replication, .NET deserialization remote code execution

Overview

CVE-2025-23120 is a deserialization of untrusted data vulnerability (CWE-502) in Veeam Backup & Replication that allows any authenticated Active Directory domain user to achieve remote code execution on the Backup Server. Veeam published advisory KB4724 on March 19-20, 2025, after the issue was reported by Piotr Bazydlo of watchTowr. NVD assigns a primary CVSS 3.1 base score of 8.8 (High); Veeam and the reporting researchers rate it CVSS 3.1 9.9 (Critical) using a scope-changed vector. The vulnerability affects only domain-joined backup servers, a deployment that Veeam's own hardening guidance advises against precisely because it widens the blast radius of credential compromise.

Technical Details

Veeam Backup & Replication exposes internal .NET remoting endpoints that deserialize objects supplied by connecting clients. CVE-2025-23120 arises because the deserialization logic relies on a blocklist of known-dangerous gadget classes rather than a strict allowlist. watchTowr's analysis showed that classes such as xmlFrameworkDs and BackupSummary were not covered by the blocklist and could be chained to reach a System.Data.DataSet / xmlFrameworkDs-based gadget, ultimately invoking arbitrary types during object reconstruction. By submitting a crafted serialized payload over the network, a low-privileged domain account that can authenticate to the backup host triggers the gadget chain and executes code in the security context of the Veeam service, which runs with high privilege on the backup server. Because the bypass targets the blocklist itself, the research effectively covers two related RCE primitives built on similar deserialization gadgets. The CVSS vector AV:N/AC:L/PR:L/UI:N (S:U/C:H/I:H/A:H per NVD) reflects network reachability, low attack complexity, and the requirement for low-privileged authentication with no user interaction.

Impact

• Remote code execution on the Veeam Backup Server in the context of the high-privileged backup service.
• Full compromise of the backup infrastructure, including stored credentials, backup repositories, and job configurations.
• A direct path to ransomware impact: attackers who control the backup server can delete or encrypt backups before encrypting production data, defeating recovery.
• Exploitable by any domain user when the backup server is domain-joined, dramatically lowering the privilege bar from administrator to ordinary account.
• Confidentiality, integrity, and availability are all rated High in the CVSS vector.

Mitigation

1. Upgrade Veeam Backup & Replication to version 12.3.1 (build 12.3.1.1139) or later, which fully remediates the vulnerability. This is the recommended action for all deployments.
2. If you are running build 12.3.0.310 and cannot immediately upgrade, apply the official hotfix package VeeamBackup&Replication_12.3.0.310_KB4724.zip (MD5 5185235DEA2AC9F2814638534B16A6DB) per KB4724. The hotfix is only compatible if no other hotfixes are already installed; otherwise upgrade to 12.3.1.
3. As a defense-in-depth measure, follow Veeam hardening guidance and remove the backup server from the Active Directory domain, placing it in a workgroup or a separate management/isolated domain so that ordinary domain credentials cannot reach it.
4. Restrict network access to the backup server's management interfaces to only the administrative hosts and accounts that require it.

Detection

There is no SNMP-style network signature published by the vendor, so detection relies on host telemetry and access auditing on the backup server. Begin by confirming exposure: check the installed build via the Veeam console (Help > About) or the registry value under HKLM\SOFTWARE\Veeam\Veeam Backup and Replication and compare against the fixed build 12.3.1.1139. Any domain-joined server running 12.3.0.310 or earlier should be treated as vulnerable until patched.

For compromise assessment, monitor the Veeam Backup Service process tree. Successful exploitation results in code execution under the service account, so any child process spawned by Veeam.Backup.Service.exe that is not a known Veeam component (for example cmd.exe, powershell.exe, rundll32.exe, or unexpected conhost.exe children) is a strong indicator of post-exploitation activity. Enable Windows process-creation auditing (Event ID 4688) with command-line logging, and forward these events to your SIEM with a rule that alerts on non-Veeam descendants of the backup service.

Review authentication and network logs for anomalous low-privileged domain accounts establishing sessions to the backup server, particularly to the .NET remoting and Veeam service ports. Correlate Security Event IDs 4624/4672 with the source account and host; an ordinary user account logging on to the backup server interactively or over the network warrants investigation given that no standard user should be reaching that system. On the network layer, watch for unexpected outbound connections from the backup server (beacons, reverse shells) immediately following inbound client connections.

Because exploitation can lead directly to backup tampering, audit Veeam job and repository changes: unexpected deletion of restore points, disabled jobs, modified retention policies, or new credentials added to the configuration database are high-fidelity signals that the backup server has been controlled. Where supported, enable immutable backups and a separate, offline copy so that detection failures do not become recovery failures. Finally, retro-hunt for these indicators back to your patch date, since the vulnerability was disclosed in March 2025 and public technical analysis (including a working understanding of the gadget chain) was released shortly after, giving capable actors a window to develop exploits even though CISA has not added this CVE to the Known Exploited Vulnerabilities catalog as of this writing.