Warning: Critical Vulnerability in Veeam Backup & Replication, Patch Immediately!

Image
Decorative image
Published : 20/03/2025
  • Last update:  20/03/2025
       
  • Affected software:: Veeam Backup & Replication
     
  • Type: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) (CWE-78)
     
  • CVE/CVSS

CVE-2025-23120: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

Vendor Advisory - https://www.veeam.com/kb4724

Risks

Researchers found a vulnerability in Veeam Backup & Replication allowing remote code execution (RCE) by authenticated domain users. Exploitation could allow unauthorized code execution, potentially disrupting backup processes and exposing sensitive data, leading to operational impact.

Description

This vulnerability arises from using blacklists to validate domain names rather than stricter mechanisms. Attackers can craft requests to bypass these blacklist checks, enabling arbitrary command execution on the targeted system.

Recommended Actions

Patch 

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

For patching, refer to the vendor advisory: https://www.veeam.com/kb4724

Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Watchtowr - https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/