Veeam releases security patches to fix multiple critical vulnerabilities, including RCE

Veeam has released a series of critical security updates to its Backup & Replication software, addressing multiple flaws, including a vulnerability classified as “critical” that could lead to remote code execution (RCE).

Critical Remote Code Execution (RCE) Vulnerability

The most notable vulnerability is CVE-2025-59470, which has a CVSS score of 9.0. This flaw allows a Backup or Tape operator to perform remote code execution as the postgres user by sending a malicious interval or order parameter.

Affected Roles and Risks

The “Backup Operator” and “Tape Operator” roles are considered high privilege. A user with the Backup Operator role can start and stop existing tasks, export and copy backups, and create VeeamZip backups. A Tape Operator, meanwhile, can run backup jobs or tape catalogs, eject and import tapes, and manage tape media.

Although these features already carry elevated privileges and organizations should have adequate protections in place, Veeam has rated this flaw as “high severity” despite its high CVSS score, indicating that the risk of exploitation is reduced if customers follow Veeam’s recommended security guidelines.

Other Vulnerabilities Fixed

In addition to the critical RCE, Veeam has also fixed three other important vulnerabilities in the same product:

• CVE-2025-55125 (CVSS 7.2): Allows a Backup or Tape operator to perform RCE as the root user by creating a malicious backup configuration file.
• CVE-2025-59468 (CVSS 6.7): Allows a Backup administrator to perform RCE as the postgres user by sending a malicious password parameter.
• CVE-2025-59469 (CVSS 7.2): Allows a Backup or Tape operator to write files as the root user.

Affected Versions and Solutions

All identified vulnerabilities affect Veeam Backup & Replication version 13.0.1.180 and all previous versions of builds 13. Security patches have been implemented in version 13.0.1.1071 of Backup & Replication.

Conclusion

Although Veeam has not reported these vulnerabilities being actively exploited, the history of exploits of Veeam software by threat actors makes it imperative that users apply these fixes without delay. It is critical to prioritize the deployment of these patches to protect data backup and replication environments from potential attacks.

References

• CVE-2025-59470
• CVE-2025-55125
• CVE-2025-59468
• CVE-2025-59469