Friday, May 2, 2025
HomeCVE/vulnerabilityVeeam RCE Vulnerability Allows Domain Users to Hack Backup Servers

Veeam RCE Vulnerability Allows Domain Users to Hack Backup Servers

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered critical Remote Code Execution (RCE) vulnerabilities in the Veeam Backup & Replication solution.

These vulnerabilities, which include CVE-2025-23120, exploit weaknesses in deserialization mechanisms, potentially allowing any domain user to gain SYSTEM access to Veeam backup servers.

This is particularly concerning for organizations that have integrated their Veeam servers into their Active Directory domains.

- Advertisement - Google News

CVE-2025-23120: Exploiting Deserialization Weaknesses

The exploitation is facilitated through the use of deserialization gadgets within the Veeam codebase.

Specifically, the researchers leveraged the Veeam.Backup.EsxManager.xmlFrameworkDs class, which extends the DataSet class, as per a report by WatchTowr Lab.

This makes it a potent gadget for achieving RCE due to its ability to call the parent class’s constructor, thus enabling immediate RCE capabilities.

namespace Veeam.Backup.EsxManager
{
    [Serializable]
    public class xmlFrameworkDs : DataSet
    {
        protected xmlFrameworkDs(SerializationInfo info, StreamingContext context)
            : base(info, context, false)
        {
            if (base.IsBinarySerialized(info, context))
            {
                this.InitVars(false);
                CollectionChangeEventHandler value = new CollectionChangeEventHandler(this.SchemaChanged);
                this.Tables.CollectionChanged += value;
                this.Relations.CollectionChanged += value;
                return;
            }
            //...
        }
    }
}

This vulnerability exploits the inherent weaknesses in blacklist-based deserialization security mechanisms.

Veeam had previously attempted to mitigate similar issues by extending their deserialization blacklist.

However, the researchers found that this approach is inherently flawed, as it hinges on maintaining an exhaustive list of malicious classes, which is nearly impossible given the vast number of potential gadgets in the .NET Framework and third-party libraries.

Privileges Required for Exploitation

To exploit these vulnerabilities, users need to access the Veeam .NET Remoting channel.

This access does not require administrative privileges; instead, any user belonging to the local Users group on the Windows host can exploit these vulnerabilities.

Even more alarming, when the Veeam server is joined to a domain, any domain user can exploit these flaws due to the way authorization checks are implemented in the Veeam Mount Service.

The authorization checks are performed by the CMountServiceAccessChecker.HasAccess method, which grants access if the user is in the WindowsBuiltInRole.User group.

This includes domain users if the domain configuration allows the Domain Users group to be added to the local Users group:

The discovery of these RCE vulnerabilities in Veeam Backup & Replication underscores the risks associated with using blacklist-based security mechanisms.

It highlights the importance of moving towards whitelist-only approaches to prevent similar vulnerabilities in the future.

For organizations using Veeam, it is crucial to apply the latest patches and consider isolating backup servers from domain networks to mitigate these risks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...