Veeam patches third critical RCE bug in Backup & Replication in space of a year

Veeam Backup & Replication suffers critical RCE vulnerabilities (CVE-2025-23121, CVE-2025-23120, and CVE-2024-40711) due to uncontrolled deserialization via BinaryFormatter on domain-joined servers; patches addressing CVE-2025-23121 are available for affected v12 builds (12.3.1.1139), and Veeam plans to remove BinaryFormatter in v13. Multiple ransomware groups have previously exploited related flaws in the wild, increasing the urgency to patch and avoid domain-joining backup servers.