Veeam resolves CVSS 9.0 RCE flaw and other security issues

Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities.

Veeam released patches for multiple Backup & Replication flaws, including a critical RCE vulnerability tracked as CVE-2025-59470 (CVSS score of 9.0).

A Backup or Tape Operator can achieve remote code execution as the postgres user by abusing malicious interval or order parameters.

“This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.” reads the advisory.

A Veeam Tape Operator is a limited Veeam Backup & Replication user role designed to manage tape-based backup operations without full administrative privileges.

The vulnerability was discovered during internal testing.

The vendor said Backup and Tape Operator roles are highly privileged, and following security guidelines lowers exploitability, so the issue was downgraded to High severity.

Veeam also patched three vulnerabilities: RCE as root via malicious backup (CVE‑2025‑55125, CVSS score of 7.2), RCE as postgres via password (CVE‑2025‑59468, CVSS score of 6.7), and file write as root (CVE‑2025‑59469, CVSS score of 7.2).

Veeam Backup & Replication 13.0.1.1071 addressed the vulnerabilities.

At this time, it is unclear whether one of the above flaws is being exploited in attacks in the wild.

In March 2025, the vendor addressed a critical vulnerability, tracked as CVE-2025-23120 (CVSS score of 9.9), impacting its Backup & Replication software that could lead to remote code execution.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)