Potential Risk of CVE

About Veeam Backup (CVE-2025-23120 and CVE-2025-23121) – 23-06-2025

Leave a comment

CVE-2025-23121

NVD Published Date: 06/18/2025

NVD Last Modified: 06/18/2025

Preface: Veeam introduced a custom serialization formatter to protect against unsafe deserialization vulnerabilities (see below):

-They override the default .NET deserialization behavior.

-They validate or restrict which types can be deserialized.

-This is a security hardening measure to prevent attackers from exploiting deserialization to execute arbitrary code.

Background: A BinaryFormatter is a class in .NET used for serializing and deserializing objects into a binary format. Serialization converts an object’s state into a byte stream, allowing it to be stored (e.g., in a file) or transmitted. Deserialization is the reverse process, reconstructing the object from the byte stream. The BinaryFormatter provides a compact binary representation, making it relatively fast for serialization and deserialization.

Veeam introduced a custom formatter that prevents insecure deserialization through a whitelist-like mechanism.

The Veeam.Backup.Model.CDbCryptoKeyInfo class is marked as [Serializable] and is explicitly allowed for deserialization within Veeam’s implementation. According to a detailed vulnerability analysis, this class:

  • Is part of the whitelist of types that Veeam permits for deserialization.
  • Has a “magic constructor” (a constructor that can be invoked during deserialization) that can be reached via .NET Remoting or other deserialization mechanisms.
  • Was involved in a Remote Code Execution (RCE) vulnerability (CVE-2025-23120), where the deserialization of this class could be exploited due to insufficient validation and reliance on a blacklist rather than a strict whitelist.

This vulnerability highlights the risks of allowing deserialization of complex or sensitive types, especially when relying on blacklist-based filtering, which can be bypassed.

Vulnerability details: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Official announcement: For details, please see the reference link – https://nvd.nist.gov/vuln/detail/CVE-2025-23121

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.