Following Veeam Backup & Replication's Tuesday patch release to patch a critical remote code execution vulnerability, researchers are advising customers to ensure their systems are completely upgraded to the latest version.
An authorised domain user can execute code on a backup server thanks to the vulnerability, which is tagged as CVE-2025-23121. It was previously revealed by watchTowr and Code White GmbH researchers that a fix for an earlier vulnerability, identified as CVE-2025-23120, could be circumvented. As a result of the disclosure, a new patch was prepared.
Benjamin Harris, CEO of watchTowr, claims that Veeam is essentially updating a blacklist of "dangerous deserialisation gadgets" once they have been identified. Harris said that throughout the deployment of multiple patches for the Backup & Replication product, researchers have observed this occur repeatedly.
"This blacklisting approach will never be sufficient, as we advocated in March," Harris wrote in an email to Cybersecurity Dive, further stating that his team "demonstrated [this] once again in March when we reported further gadgets to Veeam that they have released patches for [on Tuesday] to address.”
Veeam stated that the patch fixes the issue, and automatic updates have been enabled for all backup versions.
“When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts,” a Veeam spokesperson told Cybersecurity Dive via email. “This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner.”
In the case of a ransomware attack or other malicious infiltration, Veeam Backup & Replication is a solution that assists in backing up, replicating, and restoring enterprise data. Domain-joined backup servers, which Veeam has previously recommended against deploying, are at risk of being abused. However, it seems that the risky method is frequently employed for efficiency.
Harris noted that Veeam employs a function to handle data that is known to be intrinsically insecure, and that rather than eliminating this function, they will try to maintain a list of bad "gadgets" that should not be processed within this function.
Veeam has around 550,000 customers, and ransomware gangs often exploit the product's flaws. Rapid7 researchers revealed on Tuesday that more than 20% of the firm's incident response cases in 2024 involved Veeam being accessed or abused.