Researchers are urging Veeam Backup & Replication users to make sure their systems are fully upgraded to the latest version after the company released a patch Tuesday to address a critical remote code execution flaw.
The vulnerability, tracked as CVE-2025-23121, allows an authenticated domain user to run code on a backup server.
Researchers at watchTowr and Code White GmbH previously disclosed that a patch to address a prior vulnerability, tracked as CVE-2025-23120, could be bypassed. That disclosure led to the development of the new patch.
Veeam is effectively updating a blacklist of “dangerous deserialization gadgets” after they have been reported, according to watchTowr CEO Benjamin Harris. Researchers have seen this happen repeatedly during numerous patches deployed for the Backup & Replication product, Harris added.
“As we advocated for in March, this blacklisting approach will never be sufficient,” Harris told Cybersecurity Dive via email, adding that his team “demonstrated [this] once again in March when we reported further gadgets to Veeam that they have released patches for [on Tuesday] to address.”
Veeam said the patch addresses the vulnerability and automatic updates have been enabled for all backup versions.
“When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts,” a Veeam spokesperson told Cybersecurity Dive via email. “This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner.”
Veeam Backup & Replication is a tool that helps back up, replicate and restore company data in case of a ransomware attack or other malicious intrusion.
The risk involves the abuse of domain-joined backup servers, which Veeam has previously advised against using. However, it appears the risky practice is often used for efficiency purposes.
Harris explained that Veeam uses a function to process data that is known to be inherently insecure, and has decided that instead of removing this function they will try to maintain a list of bad “gadgets” that should not be allowed to be processed within this function.
Veeam has a large customer base of more than 550,000 users, and ransomware groups have frequently targeted vulnerabilities in the product. Rapid7 researchers said Tuesday that more than 20% of the company’s incident response cases in 2024 involved Veeam being accessed or exploited.
