Veeam has issued security updates to address multiple vulnerabilities in its Backup & Replication software. This includes a critical remote code execution (RCE) flaw.
Critical Vulnerability
TheThe vulnerability, identified as CVE-2025-59470, has a CVSS score of 9.0. It allows a Backup or Tape Operator to execute remote code as the postgres user by transmitting a malicious interval or order parameter.
According to Veeam's documentation, Backup Operator roles manage existing jobs, export, copy, and create VeeamZip backups. Tape Operator roles execute tape backup and catalog jobs, manage tape media (eject, import, export, move, copy, erase), and set tape passwords. These roles are classified as highly privileged.
Veeam has categorized this flaw as "high severity" despite its CVSS score, noting that the risk of exploitation decreases if recommended security guidelines are followed.
Additional Vulnerabilities
The company also addressed three other vulnerabilities within the same product:
- CVE-2025-55125 (CVSS score: 7.2): This flaw allows a Backup or Tape Operator to achieve RCE as root by creating a malicious backup configuration file.
- CVE-2025-59468 (CVSS score: 6.7): A Backup Administrator can perform RCE as the postgres user by sending a malicious password parameter.
- CVE-2025-59469 (CVSS score: 7.2): This vulnerability enables a Backup or Tape Operator to write files as root.
Affected Versions and Resolution
All four identified vulnerabilities impact Veeam Backup & Replication 13.0.1.180 and all prior versions of 13 builds. The issues have been resolved in Backup & Replication version 13.0.1.1071.
Veeam has not reported exploitation of these flaws in active campaigns. However, previous vulnerabilities in this software have been exploited by threat actors.