Source URL: https://www.theregister.com/2025/03/20/infoseccers_criticize_veeam_over_critical/
Source: The Register
Title: Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist
Feedly Summary: Palming off the blame using an ‘unknown’ best practice didn’t go down well either
In patching the latest critical remote code execution (RCE) bug in Backup and Replication, software shop Veeam is attracting criticism from researchers for the way it handles uncontrolled deserialization vulnerabilities.…
AI Summary and Description: Yes
Summary: The text discusses the critical vulnerabilities in Veeam’s Backup and Replication software, focusing on the potential for exploitation via unauthorized deserialization, particularly by domain users in poorly secured Active Directory environments. Researchers criticize Veeam’s reliance on ineffective blocklist-based security measures for mitigation.
Detailed Description: The text covers a recent critical remote code execution (RCE) vulnerability (CVE-2025-23120) in Veeam’s Backup and Replication software that could allow any authenticated domain user to exploit it if the server is domain-joined. Key insights include:
– **Severity of the Vulnerability**: The vulnerability has a near-maximum severity score of 9.9, emphasizing its potential risk.
– **Authentication Weakness**: Although the vulnerability requires authentication, this requirement is described as weak, especially if organizations lack robust Active Directory configurations.
– **Vendor Responsibility**: Veeam suggests that domain-joining the server is against best practices, but this guidance is reportedly unknown to many users, indicating a gap in user awareness and vendor responsibility.
– **Ransomware Target**: Veeam systems are frequently targeted by ransomware groups, which can often gain access to at least one domain user account, endangering the entire network.
– **Flaws in Mitigation Strategy**: The researchers criticize Veeam’s use of a blocklist to mitigate deserialization vulnerabilities, favoring whitelisting as a more effective strategy. They point out that the current methodology is reactive and leaves users vulnerable to exploitation due to missed gadgets.
– **Multiple Vulnerabilities Under One CVE**: Criticism is leveled at Veeam for consolidating two separate vulnerabilities under a single CVE identifier, which could obscure the true risk profile of the software.
– **Call for Accountability**: The researchers call for accountability from vendors like Veeam in light of these serious vulnerabilities, urging that reliance on blocklists is insufficient for safeguarding against evolving threats.
Overall, the text highlights concerns surrounding software security and vulnerability management, underscoring the importance of resilient design and proactive mitigation strategies, which are vital for professionals ensuring the integrity of IT infrastructure within organizations.