top of page
Search

Veeam Backup & Replication Patched against Critical RCE Vulnerabilities

  • Jan 7
  • 2 min read

Key Findings:


  • Veeam has released security updates to address critical vulnerabilities in its Backup & Replication software, including a flaw with a CVSS score of 9.0 that could allow remote code execution (RCE).

  • The most severe vulnerability, CVE-2025-59470 (CVSS 9.0), enables a Backup or Tape Operator to achieve RCE as the postgres user by sending a malicious interval or order parameter.

  • Three other vulnerabilities, CVE-2025-55125 (CVSS 7.2), CVE-2025-59469 (CVSS 7.2), and CVE-2025-59468 (CVSS 6.7), also allow Backup or Tape Operators to execute code with elevated privileges, including as root.

  • The affected versions are Veeam Backup & Replication 13.0.1.180 and all earlier versions of 13 builds.

  • Veeam has addressed these vulnerabilities in version 13.0.1.1071, and urges users to update immediately.


Background


Veeam Backup & Replication is a popular enterprise-grade backup and recovery solution, used by organizations worldwide to protect their critical data. The software offers a range of features, including backup, recovery, replication, and more, making it a vital component of many IT infrastructures.


CVE-2025-59470 (CVSS 9.0 -> Adjusted to High)


This critical vulnerability allows a Backup or Tape Operator to achieve Remote Code Execution (RCE) as the postgres user. Attackers can exploit this by sending a "malicious interval or order parameter." While the raw technical severity is a critical 9.0, Veeam has downgraded the rating to High, reasoning that these operator roles are already "considered highly privileged" and following security best practices reduces the attack surface.


CVE-2025-55125 (CVSS 7.2)


This vulnerability is a direct path to root. By creating a "malicious backup configuration file," a Backup or Tape Operator can execute code with the highest possible system privileges.


CVE-2025-59469 (CVSS 7.2)


Another dangerous flaw for the same operator roles, allowing them to write arbitrary files as root, which is often a precursor to full system compromise.


CVE-2025-59468 (CVSS 6.7)


This medium-severity bug affects the Backup Administrator role. An attacker with these credentials could achieve RCE as the postgres user by manipulating the "password parameter."


Conclusion


Veeam has promptly addressed these critical vulnerabilities in its Backup & Replication software, and organizations running version 13 are urged to update to the latest build 13.0.1.1071 to mitigate the risks. The most severe flaw, CVE-2025-59470, could allow remote code execution as a highly privileged user, underscoring the importance of applying these security updates without delay.


Sources


  • https://securityonline.info/veeam-patches-critical-rce-flaws-in-latest-backup-replication-release/

  • https://thehackernews.com/2026/01/veeam-patches-critical-rce.html

  • https://x.com/the_yellow_fall/status/2008723431630794924

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page