HighPublic exploit

Veeam Backup & Replication Domain User RCE

IdentifiersCVE-2025-23120CWE-502· Deserialization of Untrusted Data

CVE-2025-23120 is a critical remote code execution vulnerability in Veeam Backup & Replication affecting domain-joined backup server deployments. The provided content states that the flaw allows an authenticated domain user to achieve remote code execution against the backup server, and related reporting ties this class of Veeam issues to insecure use of Microsoft BinaryFormatter deserialization. The content further indicates that CVE-2025-23121 was described by researchers as bypassing the prior patch for CVE-2025-23120, reinforcing that CVE-2025-23120 is part of the same deserialization-driven RCE problem space in Veeam Backup & Replication. The vulnerability is described as enabling compromise of backup infrastructure from a low-privilege domain context when the Veeam server is joined to a Windows domain.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution on the Veeam Backup & Replication server from the context of an authenticated domain user. Because the affected system is backup infrastructure, compromise can enable takeover of backup operations, tampering with or deletion of backups, malware deployment, and use of the backup server as a pivot point for broader enterprise compromise. The supplied content also associates exploitation of Veeam RCE flaws with ransomware activity, including operators linked to Akira, Fog, and Frag, indicating a realistic risk of backup sabotage and ransomware staging.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by ensuring Veeam Backup & Replication servers are not joined to the production domain where feasible, consistent with Veeam best practices. Isolate backup infrastructure in a separate Active Directory forest, restrict which users can authenticate to backup servers, enforce MFA for administrative access, segment backup servers from general user networks, and monitor for suspicious activity involving backup services. Because the issue is tied to domain-user reachability in domain-joined deployments, minimizing domain trust and interactive access to the backup server materially reduces risk until patching is completed.

Remediation

Patch, then assume compromise.

Apply the vendor security update that remediates CVE-2025-23120. The provided content states that Veeam patched CVE-2025-23120 in March 2025 and references Veeam advisory guidance. Where the affected product is embedded in downstream offerings, such as Rockwell Automation IDC and VVA products, upgrade to the corrected Veeam Backup & Replication version referenced by the vendor and downstream product advisories. Follow Veeam security guidance for hardened backup deployments.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

A critical Veeam Backup & Replication vulnerability enabling remote code execution by authenticated domain users.

cyberthroneNews

Jan 8, 2026

Critical RCE in Veeam Backup & Replication: CVE-2025-59470

A critical remote code execution vulnerability in Veeam Backup & Replication allowing authenticated domain users to execute code remotely.

securityaffairsNews

Jan 7, 2026

Veeam resolves CVSS 9.0 RCE flaw and other security issues

A critical remote code execution vulnerability in Veeam Backup & Replication software addressed in March 2025.

infosec writeupsNews

Jun 19, 2025

CVE-2025-23121 Critical Veeam Vulnerability: Backup Servers at Risk from Authenticated RCE Flaw

A previously patched Veeam vulnerability referenced as being bypassed by CVE-2025-23121 (details not provided in the content).

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-23120

NVD

nvd.nist.gov/vuln/detail/CVE-2025-23120

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Vendor Advisory

veeam.com/kb4724

Third Party Advisory

labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120