CVE-2025-9120 is a vulnerability classified under CWE-94, indicating improper control of code generation leading to code injection in OpenText™ Carbonite Safe Server Backup versions through 6.8.3. The flaw allows an attacker to remotely inject and execute arbitrary code on the affected system by exploiting an open network port exposed by the backup software. The vulnerability requires no authentication or user interaction, making it highly accessible to attackers with network access. The CVSS 4.0 base score is 8.6, reflecting high severity due to the vulnerability's potential to compromise confidentiality, integrity, and availability with high impact and low attack complexity. The vulnerability does not involve scope or privilege changes but has a high impact on all security properties. No patches were linked at the time of reporting, and no known exploits have been observed in the wild, though the risk remains significant. The vulnerability arises from insufficient validation or sanitization of inputs used in code generation routines within the backup software, enabling malicious code injection. This can lead to full system compromise, data theft, or disruption of backup and recovery operations. The vulnerability affects organizations relying on Carbonite Safe Server Backup for data protection, especially those exposing the service to untrusted networks.

The impact of CVE-2025-9120 is substantial for organizations worldwide using OpenText™ Carbonite Safe Server Backup. Exploitation can lead to arbitrary code execution, allowing attackers to gain unauthorized control over backup servers. This can result in data theft, manipulation, or destruction, undermining data integrity and availability critical for business continuity. Attackers could disable or corrupt backup processes, complicating recovery from other incidents like ransomware. The confidentiality of sensitive backup data is at risk, potentially exposing proprietary or personal information. Given the backup server's central role, compromise could facilitate lateral movement within networks, escalating attacks. The vulnerability's remote exploitability without authentication increases the attack surface, especially if the service is exposed to the internet or untrusted networks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, face heightened risks of regulatory penalties and reputational damage. The absence of known exploits currently provides a window for proactive defense, but the high severity score indicates urgent remediation is necessary to prevent future attacks.

To mitigate CVE-2025-9120, organizations should immediately assess their exposure by identifying Carbonite Safe Server Backup instances, especially those accessible via open network ports. Network segmentation and firewall rules should be enforced to restrict access to the backup server only to trusted management and backup infrastructure IPs. Employ virtual private networks (VPNs) or other secure channels to access backup services remotely. Monitor network traffic for unusual activity targeting the backup server's ports. Since no patches are currently linked, coordinate with OpenText for timely updates or security advisories. Implement application-layer protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with signatures targeting code injection patterns if available. Conduct thorough input validation and sanitization where possible in custom integrations with the backup software. Regularly audit backup server logs for signs of exploitation attempts. Develop and test incident response plans specific to backup infrastructure compromise. Finally, maintain offline or immutable backups to ensure recovery capability if the backup server is compromised.