Fix CVE-2025-23120: Veeam Backup Server RCE Vulnerability

A remote code execution (RCE) vulnerability, CVE-2025-23120, exists in Veeam Backup & Replication. Authenticated domain users can execute code on domain-joined backup servers via insecure .NET deserialization. Exploitation is silent and leaves no error messages in logs.

The Fix

Update your Veeam Backup & Replication installation to a patched version. Follow these steps in order.

First, check your current version. Run this PowerShell command as Administrator on your Veeam server:

Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" -Name "BuildNumber" | Select-Object BuildNumber

Alternatively, in the Veeam console, navigate to Help > About.

Method 1: Full Upgrade (Recommended)

Upgrade to version 12.3.1.1139 (which fixes CVE-2025-23120) or to 12.3.2.3617 (which also addresses CVE-2025-23121).

1. Download the latest installer from the official Veeam website.

2. Stop Veeam services on the backup server:

Stop-Service -Name "Veeam", "VBR" -Force

3. Run the installer as Administrator and follow the prompts. The installer will automatically back up your configuration.

4. After installation, restart the core service:

Start-Service -Name "VeeamBackupService"

5. Reboot the server.

If You Cannot Upgrade Immediately:

Apply these mitigations while you schedule the upgrade.

1. Isolate the Server: Remove the Veeam backup server from the domain. Use the System Properties GUI or PowerShell:

Remove-Computer -WorkgroupName "WORKGROUP" -Restart -Force

2. Restrict Network Access: Block the .NET Remoting ports (TCP 8103-8110) at the firewall from all non-essential IPs.

New-NetFirewallRule -DisplayName "Block Veeam Remoting Inbound" -Direction Inbound -Protocol TCP -LocalPort 8103-8110 -Action Block

3. Review User Roles: In the Veeam console, audit Users and Roles to ensure no excessive permissions are granted to standard domain user accounts.

If a Full Upgrade is Not Possible:

For version 12.3.0.310 only, apply the official hotfix from Veeam Knowledge Base article KB4724. Extract and run the hotfix installer as Administrator, then reboot. This is a temporary measure; plan for a full upgrade to 12.3.2.

Verify

After applying the fix:

1. Confirm the patched version is running by re-executing the version check PowerShell command or checking Help > About. You should see build 12.3.1.1139 or higher.

2. If you applied network mitigations, test that necessary administrative connections from your management stations still function.

3. Perform a test backup job to confirm core functionality remains intact.

4. Ensure the VeeamBackupService and other related services are running.

Avoid common mistakes: do not skip the server reboot after patching, as this can leave vulnerable code in memory. Do not patch an unsupported version. Do not rely on previous blacklist-based fixes, as they are insufficient. If you are on version 12.3.1, you must still upgrade to 12.3.2 to address the patch bypass vulnerability, CVE-2025-23121.

IT Support Tacoma, WA | RainCity Techworks

Professional IT support for Tacoma businesses. Fast response, remote and on-site help, Mac and Windows expertise from local Pierce County technicians.

RainCity TechworksRainCity Techworks