Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025–23120 in its Backup & Replication software that impacts domain-joined installations.

The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.

According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025–23120 is a deserialization vulnerability in the Veeam. Backup. EsxManager.xmlFrameworkDs and Veeam.Backup.Core. BackupSummary. NET classes.