A recent security analysis by watchTowr Labs has uncovered a critical Remote Code Execution (RCE) vulnerability in Veeam Backup & Replication, a widely used backup and replication solution.
This vulnerability, identified as CVE-2025-23120, exploits weaknesses in the deserialization mechanism of the software, allowing any domain user to potentially compromise the backup server if it is joined to an Active Directory domain.
Exploitation Mechanism
The vulnerability leverages a blacklist-based security approach, which is inherently flawed due to its reliance on maintaining an exhaustive list of malicious classes.
Researchers found that by exploiting specific deserialization gadgets not included in Veeam’s blacklist, attackers can execute arbitrary code on the server.
One such gadget is the xmlFrameworkDs class, which extends the DataSet class—a known RCE gadget in .NET deserialization attacks.
According to watchTowr Labs Report, this allows attackers to achieve instant RCE capabilities by deserializing DataSet.
Privileges Required
The exploitation of this vulnerability requires minimal privileges, as it can be accessed by any user belonging to the local Users group on the Windows host of the Veeam server.
More critically, if the server is joined to an Active Directory domain, any domain user can exploit these vulnerabilities.
This is because the Domain Users group is typically added to the local Users group on Windows hosts, bypassing more stringent access controls.
The implications of this vulnerability are significant, as it could allow malicious actors to gain SYSTEM-level access to backup servers, potentially compromising sensitive data and disrupting critical backup operations.
Veeam has historically responded to similar vulnerabilities by extending their deserialization blacklist, but this approach is inherently vulnerable to new, undiscovered gadgets.
Users are advised to apply patches and consider more robust security measures, such as whitelisting deserialization classes, to mitigate these risks.
Despite these efforts, the use of blacklist-based security mechanisms remains a concern, as maintaining an exhaustive list of malicious classes is practically unfeasible.
 vulnerability.){kind=link}