Veeam has issued critical security updates for its widely-used Backup & Replication software, patching a severe vulnerability that could allow for remote code execution (RCE) by authenticated users. The company highlighted the RCE flaw, identified as CVE-2025-59470, and three other security issues, urging immediate application of the patches to safeguard enterprise security.
Veeam Patches Critical Remote Code Execution Vulnerability
The most pressing concern addressed by Veeam is CVE-2025-59470, a vulnerability rated with a CVSS score of 9.0. This flaw allows an individual with Backup Operator or Tape Operator privileges to execute arbitrary code remotely on the affected system. Veeam’s advisory explains that exploitation can occur by sending a specially crafted interval or order parameter to the system, granting an attacker significant control.
Users in Backup Operator roles have the ability to manage backup jobs, export backups, and create VeeamZip archives. Tape Operator roles possess privileges related to tape backup and catalog management, including the manipulation of physical tapes and media pools. Given the elevated permissions associated with these roles, organizations are already expected to have robust security measures in place to protect against their misuse. However, this vulnerability bypasses those protections.
Veeam has classified this specific vulnerability as “high severity,” even though the CVSS score suggests a critical potential impact. The company noted that the likelihood of exploitation is reduced if organizations adhere to Veeam’s recommended security guidelines. This suggests that certain configurations or additional security layers might mitigate the risk.
Additional Vulnerabilities Addressed
In addition to the critical RCE flaw, Veeam’s security update also resolves three other notable vulnerabilities within the same product:
CVE-2025-55125, with a CVSS score of 7.2, enables a Backup or Tape Operator to achieve RCE with root privileges by creating a malicious backup configuration file. This highlights the risk associated with privileging file creation operations to less trusted roles.
Furthermore, CVE-2025-59468 (CVSS score: 6.7) permits a Backup Administrator to execute remote code as the postgres user by sending a malicious password parameter. This indicates a weakness in how password inputs are handled.
Lastly, CVE-2025-59469, also rated at a CVSS score of 7.2, allows a Backup or Tape Operator to write files with root privileges. This underscores a potential for unauthorized file system modifications.
All four identified vulnerabilities are present in Veeam Backup & Replication version 13.0.1.180 and all earlier builds within the 13.x series. The fixes have been integrated into Veeam Backup & Replication version 13.0.1.1071. While Veeam has not reported any instances of these vulnerabilities being actively exploited in the wild, the company emphasized the importance of prompt patching. Historically, vulnerabilities in Veeam software have been targeted by threat actors, making swift remediation crucial for robust enterprise security.
The immediate next step for all Veeam Backup & Replication users is to review their current version and apply the latest update. Organizations should prioritize the patching of systems managed by Backup Operators and Tape Operators to mitigate the immediate risks associated with CVE-2025-59470 and the other disclosed vulnerabilities. Continued vigilance and adherence to security best practices remain paramount in protecting critical backup infrastructure.