Veeam Patches Critical Remote Code Execution Flaw in Backup & Replication v13
Take action: If you are using Veeam Backup & Replication version 13, make sure all backup systems are isolated from the internet and accessible from trusted networks only. Limit the number of users with Backup or Tape Operator roles and update to version 13.0.1.1071 as soon as possible.
Learn More
Veeam released security updates for its Backup & Replication software to fix multiple security flaws that allow users with specific roles to run code or write files on the system or even achieve a full system takeover if exploited by an insider or a compromised account.
Vulnerabilities summary:
- CVE-2025-59470 (CVSS score 9.0). This flaw lets a Backup or Tape Operator run remote code as the
postgresuser. Attackers exploit this by sending a malicious "interval" or "order" setting to the database. Veeam treats this as high severity because it requires existing operator privileges, but the base score remains critical. - CVE-2025-55125 (CVSS score 7.2) – Allows RCE as root via a malicious backup configuration file.
- CVE-2025-59469 (CVSS score 7.2) – Enables a Backup or Tape Operator to write files as root.
- CVE-2025-59468 (CVSS score 6.7) – Allows RCE as the postgres user through a malicious password parameter.
Ransomware groups like Akira, Fog, and FIN7 frequently target backup infrastructure. By gaining control of a Veeam server, attackers can delete backups and steal sensitive data before deploying encryption. This strategy prevents organizations from restoring their systems, making them more likely to pay a ransom.
The flaw affects version 13.x below 13.0.1.1071. Veeam confirmed that version 12.x and older versions are not affected by these bugs.
Administrators should install version 13.0.1.1071 to patch these flaws. Apart from patching, organizations should restrict the number of users assigned to highly privileged operator roles to reduce the attack surface.
