Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date: 03/21/25

Last updated: 03/27/25

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

REMEDIATIONS AND WORKAROUNDS

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts. 

Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:

·         Support Content Notification - Support Portal – Veeam support portal

·         https://www.veeam.com/kb4724

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-23120

A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.

CVSS 3.1 Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:   No

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.