Veeam and IBM Release Patches for High-Risk Flaws in Backup and AIX Systems

Mar 20, 2025Ravie LakshmananVulnerability / Software Update

Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution.

The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds.

“A vulnerability allowing remote code execution (RCE) by authenticated domain users,” the company said in an advisory released Wednesday.

Security researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in version 12.3.1 (build 12.3.1.1139).

According to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam’s inconsistent handling of deserialization mechanism, causing an allowlisted class that can be deserialized to pave the way for an inner deserialization that implements a blocklist-based approach to prevent deserialization of data deemed risky by the company.

This also means that a threat actor could leverage a deserialization gadget missing from the blocklist – namely, Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary – to achieve remote code execution.

“These vulnerabilities can be exploited by any user who belongs to the local users group on the Windows host of your Veeam server,” the researchers said. “Better yet – if you have joined your server to the domain, these vulnerabilities can be exploited by any domain user.”

The patch introduced by Veeam adds the two gadgets to the existing blocklist, meaning the solution could once again be rendered susceptible to similar risks if other feasible deserialization gadgets are discovered.

The development comes as IBM has shipped fixes to remediate two critical bugs in its AIX operating system that could permit command execution.

The list of shortcomings, which impact AIX versions 7.2 and 7.3, is below –

• CVE-2024-56346 (CVSS score: 10.0) – An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master service
• CVE-2024-56347 (CVSS score: 9.6) – An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanism

While there is no evidence that any of these critical flaws have been exploited in the wild, users are advised to move quickly to apply the necessary patches to secure against potential threats.