Backup software giant Veeam has released urgent security updates after discovering a critical vulnerability in its Backup & Replication software that could allow attackers to execute code remotely. Tracked as CVE-2025-23120, the flaw carries a near-perfect CVSS score of 9.9 out of 10, signaling an extremely high risk.
The vulnerability affects version 12.3.0.310 and all earlier version 12 builds. Veeam warned that the flaw could be exploited by any authenticated domain user, potentially leading to remote code execution (RCE) on the backup server.
Security researcher Piotr Bazydlo of watchTowr, credited with discovering the flaw, explained that the issue stems from inconsistent handling of deserialization mechanisms within Veeam’s software. Specifically, an allowlisted class intended to prevent dangerous deserialization can be manipulated by attackers due to a blocklist oversight.
The flaw allows a malicious user to abuse deserialization gadgets like Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary — both missing from the blocklist — to trigger RCE.
“Any user in the local users group on the Veeam server host is in scope,” researchers warned. “Even worse, if the server is joined to a domain, any domain user could exploit this flaw.”
Veeam has patched the vulnerability in version 12.3.1 (build 12.3.1.1139) by adding the two overlooked gadgets to its blocklist. However, the researchers noted that the fix is temporary and new deserialization gadgets could surface in future builds.
The Veeam flaw wasn’t the only high-risk vulnerability disclosed this week. IBM announced patches for two severe bugs impacting its AIX operating system — both of which could allow remote command execution.
Here’s what’s affected:
- CVE-2024-56346 (CVSS 10.0) – An improper access control flaw in nimesis NIM master service that enables remote attackers to execute arbitrary commands.
- CVE-2024-56347 (CVSS 9.6) – A similar access control issue in the nimsh service’s SSL/TLS protection, also permitting remote command execution.
Both vulnerabilities affect AIX versions 7.2 and 7.3. While there are no reports of exploitation so far, IBM strongly urges users to patch immediately to avoid potential compromise.
Neither Veeam nor IBM have reported active attacks in the wild yet, but both companies emphasize the critical importance of patching immediately. Given the potential for domain-wide compromise in Veeam’s case and full remote access in IBM’s, organizations running these systems are urged to act fast.
Cybersecurity experts warn that vulnerabilities tied to deserialization flaws often pave the way for serious breaches, especially when exploited by insiders or domain users with minimal privileges.
As attackers continue evolving their methods, rapid patching remains the best defense against remote code execution threats.
