March 2025 wasn’t your average low-traffic month. Threat actors sharpened their focus on backup systems, virtualization, network service stacks, and enterprise platforms — not user apps or home routers. Among the standout issues: a critical remote code execution in Veeam Backup & Replication (CVE-2025-23120) that puts domain-joined backup servers at risk; a suite of VMware ESXi defects spanning USB controller memory corruption to host tooling gaps; network infrastructure and SNMP protocol exposure; and additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog targeting commonly used enterprise frameworks like Advantive VeraCore and Ivanti EPM. These weren’t “nice to have” bugs — they were elevated-risk, high-impact threats aimed at your operational backbone.

Below are five (plus) of the most consequential CVEs from March 2025, grouped by domain, with technical context and defense posture implications.

Backup & Replication under Siege

Key CVE(s): CVE-2025-23120

The most dramatic headline in March was CVE-2025-23120, a critical remote code execution vulnerability in Veeam Backup & Replication. This flaw allows an authenticated domain user to run arbitrary code on a backup server instance — effectively subverting the very trust boundary you build around backups. The CVSS score reached 9.9 in many assessments, reflecting the severity. Because backup systems often reside at a privileged network tier and hold full image copies, the compromise potential is large: alter, delete, or deploy malicious backups.

From a technical standpoint, the vulnerability hinges on deserialization of untrusted data in the .NET remoting channel used by Veeam. The existing mitigation logic used a blacklist approach, which attackers could bypass by crafting payloads via permitted gadgets. The exploit vector is strong: any domain user (not necessarily a backup admin) may exploit it, especially in environments where backup servers are domain-joined (a configuration even Veeam warns against). Rapid7 and others confirmed that the exploit is straightforward and advisable to patch immediately.

Defense guidance: Update Veeam servers to the fixed build (e.g., 12.3.1.1139 or equivalent). Ensure backup servers are not publicly exposed, segment them from general AD and user zones, and enforce strict role separation. Monitor backup traffic and logs for anomalous method calls or deserialization errors. Additionally, consider restricting which domain groups can authenticate to the backup server RPC endpoints.

Virtualization & Hypervisor Risk: USB Controllers and ESXi

Key CVE(s): CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

March also brought major VMware fixes via VMSA-2025-0004, patching vulnerabilities identified in ESXi, Workstation, and Fusion, including CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These ranged from memory corruption/use-after-free attacks in USB controller modules (XHCI, UHCI) to out-of-bounds writes. In one scenario, a malicious VM with host USB passthrough privileges could leverage the flaws to escape VM boundaries or execute code in the host’s VMX process.

The severity is compounded because hypervisor compromise is one of the highest-value attacks — once an attacker controls the host, all guests and storage are within reach. Many enterprise data centers and private clouds run ESXi clusters in production, so patch prioritization is essential.

Defense guidance: Patch all affected VMware hosts immediately. Disable USB passthrough where not needed or restrict it to specific safe devices. Enforce strict VM-to-host isolation, and audit guest-to-host interactions. Monitor host-level logs for anomalies in the VMX process or USB controller activities.

Network Infrastructure & SNMP Exposure

Key CVE(s): CVE-2025-20352

Even network management protocols weren’t exempt. CVE-2025-20352 affects Cisco IOS and IOS XE’s SNMP subsystem: a stack-based buffer overflow that, under certain conditions, can lead to remote code execution or device reload. Given that many environments rely on SNMP for monitoring, alerting, and telemetry, a single exploit path could yield access deep into the switch or router control plane.

Attackers might exploit this by sending crafted SNMP requests, particularly when monitoring endpoints are exposed across segments. Because SNMP often resides in trusted network zones, the lateral movement risk is real.

Defense guidance: Patch or upgrade Cisco devices to a version that closes CVE-2025-20352. Limit SNMP access to authorized IP ranges, enable version-3 with strong authentication and encryption, and disable unused OIDs. Monitor logs for SNMP traffic anomalies and malformed OID requests.

Enterprise Platform Exploits: Advantive VeraCore & Ivanti EPM

Key CVE(s): CVE-2025-25181 and Ivanti EPM path traversal flaws

March also saw CVE-2025-25181 added to CISA’s KEV catalog: an SQL injection vulnerability in Advantive VeraCore (industry inventory and order management platform). Attackers could exploit the PmSess1 parameter to inject arbitrary SQL commands, potentially reading or corrupting enterprise order or process data. Given the integration nature of VeraCore in enterprise systems and APIs, this injection vector is dangerous.

Parallel to that, multiple Ivanti Endpoint Manager (EPM) path traversal vulnerabilities (CVE variants) were also added. Attackers could exploit directory manipulation flaws to access or overwrite files outside intended boundaries, potentially enabling privilege escalations or data leakages.

Though individually these may not reach hypervisor control, in a composite enterprise stack (ERP → order systems → EPM → identity), such exposure can create attack chains.

Defense guidance: For VeraCore, apply vendor patches or make configuration changes to parameter sanitization. Harden database access and limit query privileges. For Ivanti EPM, apply updates, restrict web interfaces to trusted zones, and scan for path traversal requests. Leverage WAF protections to block suspicious file path payloads.

Additional Notes: Microsoft’s March Patch Cycle

In March 2025, Microsoft released a significant patch set — 56 CVEs patched overall, with six critical vulnerabilities among them. Several zero-day and RCE vectors were addressed in .NET, Azure components, LSASS, and Windows core subsystems. While not always headline flaws, the scope underscores the perennial need to stay current on Microsoft patching in enterprise contexts.

Wrap-Up: Chains, Expansion, and Urgency

March 2025 revealed a clear pattern: threat actors are targeting enterprise foundation layers — backups, virtualization, network control, and business platforms — rather than focusing on client-side attacks. Backup systems (Veeam) and hypervisors (VMware) once again took center stage as high-leverage targets. Network infrastructures via SNMP and management channels were exposed. And enterprise platforms (VeraCore, Ivanti) proved that even “application layer” systems can be leveraged into broader attack chains.

For defenders, the message is urgent: patch quickly, segment aggressively, tighten identity controls, and hunt for exploit indicators across the stack. If your environment includes Veeam, VMware clusters, Cisco SNMP systems, Advantive, or Ivanti, every hour counts.

If you need help verifying exposure, designing a remediation roadmap, operationalizing patching, or executing threat hunting in your environment — THIRD SPECTRUM has your back. Reach out and let’s harden your foundations before the next chain starts.

Stay sharp and fully caffeinated — SpectaBot out.