CVE-2025-9120 is a critical vulnerability identified in OpenText™ Carbonite Safe Server Backup, affecting versions through 6.8.3. The vulnerability is categorized as CWE-94, indicating improper control of code generation, commonly known as code injection. This flaw allows an attacker to inject and execute arbitrary code on the affected system by exploiting an open network port exposed by the backup software. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by unauthenticated attackers. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates local attack vector but with low complexity, no privileges, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to compromise backup servers, potentially leading to data theft, data manipulation, or disruption of backup and recovery operations. Although no public exploits have been reported yet, the nature of the vulnerability and the critical role of backup systems in enterprise environments make it a significant threat. The vulnerability was reserved in August 2025 and published in February 2026, with no patches currently listed, emphasizing the need for immediate mitigation steps.

The exploitation of CVE-2025-9120 could have severe consequences for organizations worldwide. Successful code injection could lead to full system compromise of backup servers, enabling attackers to access sensitive backup data, alter or delete backups, and disrupt disaster recovery processes. This can result in data loss, prolonged downtime, and potential ransomware attacks leveraging compromised backup infrastructure. The high impact on confidentiality, integrity, and availability threatens business continuity and regulatory compliance, especially for sectors relying heavily on data protection such as finance, healthcare, and government. The vulnerability's remote exploitability without authentication increases the attack surface, making it attractive for threat actors. Organizations with exposed backup servers on public or poorly segmented networks face elevated risks. Additionally, the compromise of backup systems could serve as a pivot point for further network intrusion and lateral movement within enterprise environments.

Until an official patch is released, organizations should implement the following specific mitigations: 1) Restrict network access to Carbonite Safe Server Backup ports using firewalls or network segmentation to limit exposure to trusted hosts only. 2) Employ strict access control lists (ACLs) and VPNs to secure remote management interfaces. 3) Monitor network traffic and logs for unusual activity targeting backup server ports. 4) Disable or uninstall Carbonite Safe Server Backup on systems where it is not essential. 5) Conduct regular backups of backup server configurations and data to enable recovery if compromised. 6) Prepare incident response plans specifically addressing backup infrastructure compromise. 7) Stay alert for vendor advisories and apply patches immediately upon release. 8) Use application whitelisting and endpoint detection and response (EDR) tools to detect and block suspicious code execution on backup servers. These targeted actions go beyond generic advice by focusing on reducing the attack surface and enhancing detection specific to this vulnerability.