Veeam and IBM Release Patches for High-Risk Flaws in Backup and AIX Systems

Mar 20, 2025Ravie LakshmananVulnerability / Software Update

Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution.

The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds.

“A vulnerability allowing remote code execution (RCE) by authenticated domain users,” the company said in an advisory released Wednesday.

Security researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in version 12.3.1 (build 12.3.1.1139).

According to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam’s inconsistent handling of deserialization mechanism, causing an allowlisted class that can be deserialized to pave the way for an inner deserialization that implements a blocklist-based approach to prevent deserialization of data deemed risky by the company.

This also means that a threat actor could leverage a deserialization gadget missing from the blocklist – namely, Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary – to achieve remote code execution.

“These vulnerabilities can be exploited by any user who belongs to the local users group on the Windows host of your Veeam server,” the researchers said. “Better yet – if you have joined your server to the domain, these vulnerabilities can be exploited by any domain user.”

The patch introduced by Veeam adds the two gadgets to the existing blocklist, meaning the solution could once again be rendered susceptible to similar risks if other feasible deserialization gadgets are discovered.

The development comes as IBM has shipped fixes to remediate two critical bugs in its AIX operating system that could permit command execution.

The list of shortcomings, which impact AIX versions 7.2 and 7.3, is below –

• CVE-2024-56346 (CVSS score: 10.0) – An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master service
• CVE-2024-56347 (CVSS score: 9.6) – An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanism

While there is no evidence that any of these critical flaws have been exploited in the wild, users are advised to move quickly to apply the necessary patches to secure against potential threats.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!