Veeam Patches Critical RCE Vulnerability with CVSS 9.0 in Backup & Replication

Published:

7 januari 2026 om 10:41:00

Alert date:

7 januari 2026 om 13:02:49

Source:

thehackernews.com

Enterprise Applications, Zero-Day Vulnerabilities

Veeam has released security updates for its Backup & Replication software to address multiple vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. The vulnerability allows a Backup or Tape Operator to perform remote code execution as the postgres user by sending malicious requests. This represents a significant security risk for organizations using Veeam's backup solutions.

Technical details

CVE-2025-59470 allows Backup or Tape Operator roles to perform remote code execution as the postgres user by sending malicious interval or order parameters. CVE-2025-55125 enables RCE as root through malicious backup configuration files. CVE-2025-59468 allows Backup Administrators to perform RCE as postgres user via malicious password parameters. CVE-2025-59469 permits file writing as root by Backup or Tape Operators. All vulnerabilities require privileged user roles within Veeam.

Mitigation steps:

Update to Veeam Backup & Replication version 13.0.1.1071 immediately. Follow Veeam's recommended Security Guidelines to reduce exploitation opportunities. Implement proper access controls for Backup Operator and Tape Operator roles as these are highly privileged positions.

Affected products:

Veeam Backup & Replication 13.0.1.180 and all earlier versions of 13 builds