CVSS v31 Score: 99 for Domain-Joined VB&R Servers – Critical Vulnerability (CVE-2025-23120)

A critical vulnerability (CVE-2025-23120) with a CVSS v3.1 score of 9.9 has been identified in domain-joined Veeam Backup & Replication (VB&R) servers. This high-severity flaw could allow attackers to execute arbitrary code, escalate privileges, or compromise backup infrastructure.

Reference: Veeam KB4724

You Should Know:

1. Vulnerability Analysis

• CVSS Breakdown:
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Not Required
• Impact: Confidentiality, Integrity, and Availability (CIA Triad)

2. Mitigation Steps

1. Patch Immediately:

<h1>Check current Veeam version</h1>

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Veeam*"} | Select Name, Version 

2. Isolate Affected Servers:

<h1>Linux - Block suspicious inbound traffic</h1>

sudo iptables -A INPUT -s <malicious_IP> -j DROP 

3. Verify Domain Trusts:

<h1>Check domain trust health</h1>

Test-ComputerSecureChannel -Repair 

3. Exploit Prevention

• Disable Unnecessary Services:

  </li>
  </ul>
  
  <h1>Linux - Disable vulnerable RPC services</h1>
  
  sudo systemctl disable rpcbind 
  

  – Enable Enhanced Logging (Windows):

  
  <h1>Enable PowerShell script block logging</h1>
  
  Set-Location "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" 
  Set-ItemProperty -Path . -Name "EnableScriptBlockLogging" -Value 1 
  

  4. Post-Exploitation Detection

  • Check for Suspicious Processes:

    </li>
    </ul>
    
    <h1>Linux - List unusual processes</h1>
    
    ps aux | grep -E '(sh|bash|curl|wget|nc|ncat|socat)' 
    

    – Audit Windows Event Logs:

    
    <h1>Filter for suspicious logins</h1>
    
    Get-WinEvent -LogName Security | Where-Object {$<em>.ID -eq 4624 -and $</em>.Properties[8].Value -eq "%%1842"} 
    

    What Undercode Say:

    This vulnerability poses a severe risk to organizations relying on Veeam for backups. Immediate patching and network segmentation are critical. Attackers could weaponize this flaw to exfiltrate backups or deploy ransomware. Proactive monitoring and hardening of domain-joined systems are non-negotiable.

    Key Commands Recap:

    • Linux:

      </li>
      </ul>
      
      <h1>Check open ports</h1>
      
      ss -tulnp
      
      <h1>Kill malicious process</h1>
      
      sudo kill -9 $(pgrep -f "malicious_pattern") 
      

      – Windows:

      
      <h1>Force Group Policy update</h1>
      
      gpupdate /force
      
      <h1>Disable vulnerable SMBv1</h1>
      
      Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" 
      

      Expected Output:

      • Patching confirmation:

        Veeam KB4724 successfully applied. 
        

      • Exploit attempt detection:

        [ALERT] Unauthorized RPC connection from 192.168.1.100 blocked. 
        

      Reference: Veeam KB4724

      References:

      Reported By: Marcin Parusel – Hackers Feeds
      Extra Hub: Undercode MoN
      Basic Verification: Pass ✅

      Join Our Cyber World:

      💬 Whatsapp | 💬 Telegram