| Updates have been issued by Veeam to fix a critical deserialization bug impacting its Backup and Replication software, tracked as CVE-2025-23120, which could be leveraged to enable remote code execution attacks, reports SC Media. Veeam Backup and Replication version 12.3.0.310 and all earlier version 12 builds are affected by the vulnerability, which was regarded as a significant concern by watchTower in organizations that have connected unpatched instances with their Active Directory domain. The most recent patch comes after Veeam previously addressed the flaw by including it on their deserialization blacklist, according to Bugcrowd founder Casey Ellis, who noted that the fix did not remediate other code paths. "The better approach would be to default deny, and instead control access to deserialization through an allow list," said Ellis. |
Storage, Data Security
Veeam Patches Critical 9.9 RCE Flaw
(Adobe Stock)
You can skip this ad in 5 seconds