CVE-2025-23120
Published: 20 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-23120 is a remote code execution (RCE) vulnerability affecting Veeam Backup & Replication. Classified under CWE-502 (Deserialization of Untrusted Data), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2025-03-20 and enables domain users to execute arbitrary code remotely.
The vulnerability can be exploited by authenticated domain users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), allowing attackers to achieve RCE within the unchanged security scope (S:U).
Mitigation details are available in the official Veeam knowledge base article at https://www.veeam.com/kb4724 and the Watchtower Labs analysis at https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/, which cover patches and remediation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote code execution vulnerability in Veeam Backup & Replication exploitable over the network by authenticated domain users via deserialization, directly mapping to Exploitation of Remote Services (T1210) and enabling arbitrary code execution via Command and Scripting Interpreter (T1059).