Skip to main content
CVE Vulnerability Database

CVE-2025-9120: Carbonite Safe Server Backup RCE Flaw

CVE-2025-9120 is a remote code execution vulnerability in OpenText Carbonite Safe Server Backup that allows code injection through an open port. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9120 Overview

CVE-2025-9120 is a Code Injection vulnerability (CWE-94) identified in OpenText™ Carbonite Safe Server Backup. The vulnerability arises from improper control of code generation, which could allow an attacker to inject and execute arbitrary code on affected systems. The flaw can be exploited through an open port, potentially enabling unauthorized access to the backup server infrastructure.

Critical Impact

This code injection vulnerability could allow attackers to execute arbitrary code on backup servers, potentially compromising data integrity, stealing sensitive backup data, or using the compromised system as a pivot point for further network intrusion.

Affected Products

  • OpenText™ Carbonite Safe Server Backup through version 6.8.3

Discovery Timeline

  • 2026-02-24 - CVE-2025-9120 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2025-9120

Vulnerability Analysis

This vulnerability falls under CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw exists in OpenText™ Carbonite Safe Server Backup and stems from insufficient validation or sanitization of input data that is subsequently used in code generation operations. Attackers with local access can exploit this vulnerability to inject malicious code that the application will then execute, potentially with elevated privileges associated with the backup service.

The local attack vector means an attacker would need some level of access to the target system to exploit this vulnerability. However, once exploited, the high confidentiality, integrity, and availability impact indicates that an attacker could gain complete control over the backup system, access sensitive backup data, modify backup configurations, or disrupt backup operations entirely.

Root Cause

The root cause of this vulnerability is improper control of code generation within the Carbonite Safe Server Backup application. The software fails to properly validate, filter, or sanitize user-controllable input before incorporating it into dynamically generated code. This allows an attacker to inject malicious code constructs that are then executed by the application's interpreter or runtime environment.

Backup software often handles various configuration parameters, scripting capabilities, and automation features that may involve dynamic code execution. When these mechanisms lack proper input validation, they become susceptible to code injection attacks.

Attack Vector

The vulnerability is exploited through an open port on the affected system. An attacker with local access to the system can craft malicious input that exploits the code injection vulnerability. The attack flow typically involves:

  1. Identifying the vulnerable service listening on an open port
  2. Crafting malicious input containing injected code payloads
  3. Sending the malicious input to the vulnerable endpoint
  4. The application processes the input without proper sanitization
  5. The injected code is executed with the privileges of the backup service

Due to the local attack vector, this vulnerability is most dangerous in environments where untrusted users have local access to servers running Carbonite Safe Server Backup, or in scenarios where an attacker has already gained initial access through other means.

Detection Methods for CVE-2025-9120

Indicators of Compromise

  • Unusual process spawning from the Carbonite Safe Server Backup service
  • Unexpected network connections originating from the backup application
  • Anomalous file system modifications in backup-related directories
  • Suspicious command-line arguments or scripts executed by the backup service

Detection Strategies

  • Monitor for unusual code execution patterns originating from the Carbonite Safe Server Backup process
  • Implement application whitelisting to detect unauthorized code execution
  • Deploy endpoint detection and response (EDR) solutions to identify code injection attempts
  • Review access logs for the affected service ports for suspicious connection patterns

Monitoring Recommendations

  • Enable verbose logging for the Carbonite Safe Server Backup application
  • Monitor system calls and API usage from the backup service process
  • Implement file integrity monitoring for backup application directories
  • Configure alerts for privilege escalation attempts from the backup service context

How to Mitigate CVE-2025-9120

Immediate Actions Required

  • Update OpenText™ Carbonite Safe Server Backup to a version newer than 6.8.3 as patches become available
  • Restrict local access to systems running the vulnerable backup software
  • Review and limit network exposure of the affected service ports
  • Implement network segmentation to isolate backup infrastructure

Patch Information

OpenText has published a security bulletin addressing this vulnerability. For detailed patch information and remediation guidance, refer to the Carbonite Security Bulletin. Organizations should prioritize applying the vendor-provided patches as soon as they become available for their environment.

Workarounds

  • Restrict local system access to only trusted administrators
  • Implement strict firewall rules to limit access to the vulnerable service ports
  • Enable application-level logging and monitoring to detect exploitation attempts
  • Consider temporarily disabling non-essential features that may expose the code injection surface until patching is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.