Veeam patches third critical RCE bug in Backup & Replication in space of a year – Source: go.theregister.com

Veeam Backup & Replication users are urged to apply the latest patches that fix another critical bug leading to remote code execution (RCE) on backup servers.

Tracked as CVE-2025-23121 with a CVSS v3 score of 9.9, the vulnerability affects only domain-joined backup servers. Veeam’s documentation specifically advises against joining servers to domains, but as observed by customers following the previous B&R RCE in March, very few are aware of this fact.

The previous vulnerability was also a near-maximum severity issue (CVE-2025-23120, 9.9), affecting domain-joined servers. While Veeam didn’t state whether the underlying causes were the same, researchers at watchTowr, who were credited with the discovery of CVE-2025-23121 along with CodeWhite, suggested that may be the case.

The company told The Register that after reporting the issues leading up to the March 19 disclosure of CVE-2025-23120, it found several additional bugs and the disclosure of CVE-2025-23121 is the result of those findings.

CVE-2025-23120 and the earlier CVE-2024-40711 (9.8) are both uncontrolled deserialization vulnerabilities on BinaryFormatter – a buggy, deprecated component Microsoft says cannot be trusted to deserialize data, nor can it ever be made secure.

It is still used in Veeam’s B&R (for now), however, and continues to be a source of security pain for the vendor. It underpins both CVE-2025-23120 and CVE-2024-40711, say the security researchers.

Chief product officer Anton Gostev has stated Veeam’s solution to these vulnerabilities “is actually pretty close to perfect.”

He said via a Veeam forum that the company had invested years into developing a workaround for BinaryFormatter bugs.

Veeam’s solution is to maintain an exclusion/block list of gadgets that can lead to deserialization issues, but this approach is inherently always one step behind the attackers, watchTowr’s Piotr Bazydlo claimed earlier this year.

Benjamin Harris, CEO at watchTowr, also said: “After seeing Veeam’s CPO post on their product forum that they had spent years of focus and effort ‘on this known attack vector…’ we were left bewildered by the comment of their fix being (in their own words) ‘pretty close to perfect.'”

Harris added: “We invested a few further hours of time and identified multiple additional ‘gadgets’ that allowed us to achieve the same RCE impact again.

“This reinforced our original viewpoint, that we wrote about in March, that Veeam’s approach to securing the Backup & Replication solution from this vulnerability class is (in our opinion) ineffective/insufficient.”

Veeam’s Gostev’s post, meanwhile, went on to claim that there was some “FUD” in watchTowr’s March analysis of CVE-2025-23120, but agreed that until BinaryFormatter is removed from B&R (coming in version 13) these types of security issues will invariably continue to be found.

• Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist
• Backup software vendor Veeam deleted forum data after restoration SNAFU
• You had a year to patch this Veeam flaw – and now it’s going to hurt some more
• Veeam says critical flaw can’t be abused to trash backups

“Still, the exclusion list is hard to make perfect, so these will keep dripping occasionally,” the CPO said. “And because we do want our software to be perfect, we’re no longer using BinaryFormatter in V13, thus closing a chapter on this whole class of vulnerabilities.”

Version 13 of Backup & Replication is planned for an H2 2025 release, although Veeam has not committed to a more specific date. It is currently still in beta.

The latest RCE (CVE-2025-23121) affects all B&R version 12 builds, except for the latest available (12.3.1.1139). Announced this week, the update introduced fixes for the RCE flaw and addressed two other, less-severe code execution issues.

Multiple ransomware groups have used B&R vulnerabilities such as CVE-2024-40711 to launch attacks over the past year.

Sophos X-Ops researchers spotted Fog and Akira ransomware affiliates exploiting the vulnerability in October 2024, per a social media post, and a month later noted that attacks using a new variant called Frag were also being launched using the same flaw.

Supporting its findings, CISA added CVE-2024-40711 to its Known Exploited Vulnerabilities (KEV) catalog last year, indicating that it was known to be used in ransomware attacks, although it did not provide details about the groups or affiliates involved.

The Register asked Veeam for additional information but it did not immediately respond. ®