About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability. Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments.
A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of an Active Directory domain, and the attacker must be authenticated in this domain.
The vendor’s security advisory was released on March 19. The next day, on March 20, WatchTowr Labs published an analysis of the vulnerability. A PoC exploit is expected to appear soon.
Veeam products were widely deployed in Russia until 2022, and many active installations likely remain.
Compromising the backup system could severely delay infrastructure recovery following a ransomware attack. 
Upgrade to version 12.3.1 and, if possible, disconnect the B&R server from the domain.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.