Veeam has launched security updates to handle a number of flaws in its Backup & Replication software program, together with a “essential” problem that would lead to distant code execution (RCE).
The vulnerability, tracked as CVE-2025-59470, carries a CVSS rating of 9.0.
“This vulnerability permits a Backup or Tape Operator to carry out distant code execution (RCE) because the postgres consumer by sending a malicious interval or order parameter,” it stated in a Tuesday bulletin.
In accordance with Veeam’s documentation, a consumer with a Backup Operator function can begin and cease current jobs; export backups; copy backups; and create VeeamZip backups. A Tape Operator consumer, however, can run tape backup jobs or tape catalog jobs; eject tapes; import and export tapes; transfer tapes to a media pool; copy or erase tapes; and set a tape password.
In different phrases, these roles are thought-about extremely privileged, and organizations ought to already be taking ample protections to stop them from being misused.
Veeam stated it is treating the shortcoming as “excessive severity” regardless of the CVSS rating, stating the chance for exploitation is diminished if clients comply with Veeam’s advisable Safety Tips.
Additionally addressed by the corporate are three different vulnerabilities in the identical product –
- CVE-2025-55125 (CVSS rating: 7.2) – A vulnerability that enables a Backup or Tape Operator to carry out RCE as root by making a malicious backup configuration file
- CVE-2025-59468 (CVSS rating: 6.7) – A vulnerability that enables a Backup Administrator to carry out RCE because the postgres consumer by sending a malicious password parameter
- CVE-2025-59469 (CVSS rating: 7.2) – A vulnerability that enables a Backup or Tape Operator to jot down recordsdata as root
All 4 recognized vulnerabilities have an effect on Veeam Backup & Replication 13.0.1.180 and all earlier variations of 13 builds. They’ve been addressed in Backup & Replication model 13.0.1.1071.
Whereas Veeam makes no point out of the failings being exploited within the wild, it is important that customers promptly apply the fixes, on condition that vulnerabilities within the software program have been exploited by risk actors previously.
