Veeam has launched safety updates to deal with a vital safety flaw impacting its Backup & Replication software program that would result in distant code execution.
The vulnerability, tracked as CVE-2025-23120, carries a CVSS rating of 9.9 out of 10.0. It impacts 12.3.0.310 and all earlier model 12 builds.
“A vulnerability permitting distant code execution (RCE) by authenticated area customers,” the corporate stated in an advisory launched Wednesday.
Safety researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in model 12.3.1 (construct 12.3.1.1139).
In response to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam’s inconsistent dealing with of deserialization mechanism, inflicting an allowlisted class that may be deserialized to pave the way in which for an inside deserialization that implements a blocklist-based strategy to forestall deserialization of knowledge deemed dangerous by the corporate.
This additionally implies that a menace actor may leverage a deserialization gadget lacking from the blocklist – specifically, Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary – to attain distant code execution.
“These vulnerabilities could be exploited by any consumer who belongs to the native customers group on the Home windows host of your Veeam server,” the researchers stated. “Higher but – if in case you have joined your server to the area, these vulnerabilities could be exploited by any area consumer.”
The patch launched by Veeam provides the 2 devices to the present blocklist, which means the answer may as soon as once more be rendered prone to related dangers if different possible deserialization devices are found.
The event comes as IBM has shipped fixes to remediate two vital bugs in its AIX working system that would allow command execution.
The record of shortcomings, which impression AIX variations 7.2 and seven.3, is beneath –
- CVE-2024-56346 (CVSS rating: 10.0) – An improper entry management vulnerability that would allow a distant attacker to execute arbitrary instructions by way of the AIX nimesis NIM grasp service
- CVE-2024-56347 (CVSS rating: 9.6) – An improper entry management vulnerability that would allow a distant attacker to execute arbitrary instructions by way of the AIX nimsh service SSL/TLS safety mechanism
Whereas there is no such thing as a proof that any of those vital flaws have been exploited within the wild, customers are suggested to maneuver rapidly to use the required patches to safe towards potential threats.