CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-23120

Critical Severity
SVRS
84/100
CVSSv3
9.9/10
EPSS
0.00406/1

CVE-2025-23120 allows for remote code execution (RCE) impacting domain users. This critical vulnerability allows attackers to execute arbitrary code remotely, potentially gaining control over affected systems. With a SOCRadar Vulnerability Risk Score (SVRS) of 84, this is considered a critical vulnerability requiring immediate attention. The flaw, classified as CWE-502, indicates insecure deserialization could be at the root of the problem. The high SVRS highlights the increased risk due to exploit activity observed "In The Wild." This means attackers are actively exploiting it, demanding urgent patching and mitigation strategies. The potential impact includes complete system compromise, data breaches, and significant operational disruption.

TAGS
In The Wild
VECTOR STRING
CVSS:3.0
AV:N
AC:L
PR:L
UI:N
S:C
C:H
I:H
A:H
PUBLICATION DATE2025-03-20
LAST MODIFIED2025-03-20
Eye Icon
SOCRadar
AI Insight

Description

CVE-2025-23120 is a Remote Code Execution (RCE) vulnerability affecting domain users. While the CVSS score is high at 9.9, the SOCRadar Vulnerability Risk Score (SVRS) is 52. This indicates that, based on SOCRadar's vulnerability intelligence which incorporates real-world factors beyond the quantitative CVSS score, the immediate risk might be lower than the CVSS suggests, but still requires attention.

Key Insights

  • Remote Code Execution: The vulnerability allows attackers to execute arbitrary code remotely, which can lead to complete system compromise, data theft, and denial of service.
  • Domain User Impact: Since the vulnerability impacts domain users, a successful exploit can grant the attacker elevated privileges within the network, enabling lateral movement and access to sensitive resources.
  • SVRS Consideration: While the CVSS score indicates critical severity, the SVRS of 52 suggests that the real-world exploitability and impact, based on available threat intelligence, is moderate. This score reflects factors such as the lack of active exploits (if applicable), specific threat actor targeting (if applicable), and limited mentions in relevant threat landscapes.
  • Active Exploits have been published.

Mitigation Strategies

  • Patch Management: Immediately apply any available patches or updates provided by the vendor to address the vulnerability. This is the primary and most effective mitigation strategy.
  • Privilege Restriction: Implement the principle of least privilege, ensuring that domain users only have the necessary permissions to perform their job functions. Restricting unnecessary administrative privileges can limit the impact of a successful exploit.
  • Network Segmentation: Segment the network to isolate critical systems and data. This can prevent an attacker from easily moving laterally across the network after exploiting the vulnerability.
  • Intrusion Detection and Prevention: Deploy and configure Intrusion Detection and Prevention Systems (IDS/IPS) to detect and block attempts to exploit the vulnerability. Ensure that these systems are regularly updated with the latest signatures.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More - The Hacker News
2025-03-24
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More - The Hacker News | News Content: A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn't the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to
google.com
rss
forum
news
24th March – Threat Intelligence Report
lorenf2025-05-01
24th March – Threat Intelligence Report | For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while [&#8230;] The post 24th March – Threat Intelligence Report appeared first on Check Point Research<
checkpoint.com
rss
forum
news
SANS Stormcast Friday Mar 21st: New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE;
Dr. Johannes B. Ullrich2025-03-21
SANS Stormcast Friday Mar 21st: New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE; | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Friday Mar 21st: New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE; Some New Data Feeds and Little Incident We started offering additional data feeds, and an SEO spamer attempted to make us change a link from an old podcast episode. https://isc.sans.edu/diary/Some%20new%20Data%20Feeds%2C%20and%20a%20little%20%22incident%22./31786 Veeam Deserialization Vulnerability<
sans.edu
rss
forum
news
Tageszusammenfassung - 20.03.2025
CERT.at2025-05-01
Tageszusammenfassung - 20.03.2025 | End-of-Day report Timeframe: Mittwoch 19-03-2025 18:00 - Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer News HellCat hackers go on a worldwide Jira hacking spree Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worldwide-jira-hacking-spree/
ncsc
use
trigger
http
Data Breaches Digest - Week 12 2025
Dunkie ([email protected])2025-05-01
Data Breaches Digest - Week 12 2025 | Welcome to this week's Data Breaches Digest, a catalogue of links concerning Data Breaches and Cyber Security that were published on the Internet during the period between 17th March and 23rd March 2025. 23rd March <br
dbdigest.com
rss
forum
news
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
Satnam Narang2025-04-26
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help | Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help. Background Over the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations
securityboulevard.com
rss
forum
news
⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More
Ajit Jasrotia2025-04-14
⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More | Attackers aren&#8217;t waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden. This week&#8217;s events show a hard truth: it&#8217;s not enough to react after an attack. You have to assume [&#8230;] The post ⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized
cve-2025-31565
cve-2024-53150
cve-2025-25211
cve-2025-2636

Social Media

By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup &amp; Replication (CVE-2025-23120) #ExecutiveOrder #BanningBlacklists #VeeamReplication #CVE202523120 #RCEVulnerabilities https://t.co/jMpUAjgAIn
0
0
3
⚠️ Vulnerability Alert: Rockwell Automation Lifecycle Services with Veeam Backup and Replication Deserialization Vulnerability 📅 Timeline: Disclosure: 2025-03-20, Patch: 2025-03-19 🆔cveId: CVE-2025-23120 📊baseScore: 9.4 📏cvssMetrics:
0
0
0
🚨 RCE vulnerability (CVE-2025-23120) in Veeam Backup &amp; Replication lets attackers execute arbitrary code via a deserialization flaw. Upgrade to v12.3.1 &amp; disconnect B&amp;R from AD domain to mitigate risk. #Veeam #Backup #Replication #watchTowrLabs ➡️ https://t.co/GdQN7WjRxl https://t.co/yf6B1Z9T9i
0
0
0
Tenable Corrige une faille de gestion incorrecte des permissions dans Nessus Agent (code CVE-2025-23120). https://t.co/o6bZCYeGSO
0
0
0
🚨 A critical vulnerability exists in Veeam Backup &amp; Replication software (CVE-2025-23120). Please see the @ncsc_gov_ie advisory for more info: https://t.co/izXHa9KHVh
0
0
0
🚨 Vulnerabilidad crítica en Veeam permite ejecución remota de código 🔍 CVE-2025-23120 en Veeam Backup &amp; Replication permite a atacantes autenticados ejecutar código remoto mediante el canal .NET, por validación insuficiente de datos. 📌 Fuente: INCIBE-CERT https://t.co/lA2n3JDO0b
0
0
0
Bulletin: CVE-2025-23120 is a critical remote code execution (RCE) vulnerability in Veeam Backup &amp; Replication versions 12.3.0.310 and earlier. Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139). #ThreatIntel #RedLeggCTI #Veeam https://t.co/zXKAOp6mcT
0
0
0
Two major vendors just patched remote code execution flaws—update NOW before attackers exploit them. 🔴 Veeam Backup (CVE-2025-23120, 9.9/10) ➡️ Affects v12.3.0.310 &amp; earlier ➡️ Allows RCE by authenticated users ➡️ Fixed in v12.3.1 (12.3.1.1139) 🔴 IBM AIX (CVE-2024-56346 &amp; CVE
0
0
0
Veeam patches a critical RCE flaw (CVE-2025-23120) in Backup &amp; Replication software, scoring 9.9 CVSS. Exploitable by domain users, it's fixed in v12.3.1. Also, IBM fixes two critical AIX bugs. Patch ASAP! #CyberSecurity #Vulnerability #TechUpdates
0
0
0
Critical Veeam Backup &amp; Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) - Help Net Security https://t.co/cAYbV7WZCR
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://www.veeam.com/kb4724
134C704F-9B21-4F2E-91B3-4A467353BCC0https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/
[email protected]https://www.veeam.com/kb4724

CWE Details

CWE IDCWE NameDescription
CWE-502Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence