CVE-2025-23120 - request for veeam comment

[skate88]

as we only have the one liner
"A vulnerability allowing remote code execution (RCE) by authenticated domain users."
to go on and a link to the home page of watchtowr.com its worth reading the below link

https://labs.watchtowr.com/by-executive ... 025-23120/

anyone from veeam prepared to comment on this article ?

[Gostev]

For the context - someone told me a while back that Watchtowr made its name on and been specializing on BinaryFormatter vulnerabilities - in a sense that they find all software using this Microsoft technology and dig it for vulnerabilities. They are like bees and BinaryFormatter is their honey!

It's true there's no ultimate, final fix for BinaryFormatter related vulnerabilities. Nevertheless, Veeam's exclusions list is actually pretty close to "perfect" in their own terms because our security team has been putting a lot of focus on this known attack vector in the past few years, so there's much scrutiny applied to exclusions. And so has been Watchtowr themselves, for which we're very thankful, who by the way were the first to bring us the first related vulnerability some years ago; as well as many other external researchers. And all of them were not able to find nearly as many omissions as the FUD in the article implies to exist.

Still, the exclusion list is hard to make perfect, so these will keep dripping occasionally. And because we do want our software to be perfect, we're no longer using BinaryFormatter in V13, thus closing a chapter on this whole class of vulnerabilities.

[skate88]

thanks very much for the prompt answer !

kind regards
neil

[mikeely]

It's true there's no ultimate, final fix for BinaryFormatter related vulnerabilities. Nevertheless, Veeam's exclusions list is actually pretty close to "perfect"

Is there any reason not to move to an inclusions list rather than an exclusions list?

Still, because the exclusion list is hard to make perfect, and we do want our software to be perfect, we're no longer using BinaryFormatter in V13, thus closing a chapter on this whole class of vulnerabilities.

This is rad, speaking just from my own perspective I really appreciate it.

[Gostev]

As our AppSec engineers explained me that both this change and just removing BinaryFormatter deserialization mechanism completely are very impactful and require comparable heavy lifting to implement and test all affected areas for regressions, thus requiring a major release to implement. However, the latter path gets our product to a much better place overall and provides the permanent solution, which is why we chose this route for V13.