In patching the latest critical remote code execution (RCE) bug in Backup and Replication, software shop Veeam is attracting criticism from researchers for the way it handles uncontrolled deserialization vulnerabilities. The vendor patched the near-maximum severity CVE-2025-23120 (9.9) on March 19, which can be exploited by any authenticated domain user provided the Veeam server is domain-joined.

Source: The Register