Veeam Patches Critical Backup Software Flaw Enabling Remote Code Execution

Veeam has released security updates to fix a critical vulnerability in its Backup & Replication software that could allow remote code execution. Tracked as CVE-2025-23120 with a CVSS score of 9.9, the flaw affects version 12.3.0.310 and all earlier version 12 builds.

Discovered by security researcher Piotr Bazydlo of watchTowr, the issue arises from improper deserialization handling, enabling attackers to exploit an overlooked class to execute malicious code. The vulnerability can be leveraged by any local user on the Veeam server, and if the server is domain-joined, any authenticated domain user could exploit it.

Veeam has addressed the issue in version 12.3.1 (build 12.3.1.1139) by adding the affected classes to a blocklist. However, researchers caution that similar risks may emerge if new deserialization pathways are discovered.

Meanwhile, IBM has patched two critical vulnerabilities in its AIX operating system (CVE-2024-56346 and CVE-2024-56347), which could allow remote attackers to execute arbitrary commands. Users are urged to apply updates promptly to mitigate potential threats.