Executive Summary

Veeam has released critical security updates for its flagship Veeam Backup & Replication product, addressing a severe remote code execution (RCE) vulnerability tracked as CVE-2025-59470. This flaw, assigned a CVSS v3.1 base score of 9.0, enables highly privileged users—specifically those with Backup Operator or Tape Operator roles—to execute arbitrary code as the postgres user on the backup server. The vulnerability is exploitable via network vectors and does not require user interaction, making it a high-risk issue for organizations relying on Veeam Backup & Replication for data protection. While there is currently no evidence of exploitation in the wild or public proof-of-concept code, the criticality of the vulnerability and the privileged access required underscore the urgent need for immediate patching and robust access control. This advisory provides a comprehensive technical analysis, exploitation context, and actionable recommendations to mitigate risk.

Technical Information

CVE-2025-59470 is a critical vulnerability in Veeam Backup & Replication that allows a user with Backup Operator or Tape Operator privileges to achieve remote code execution as the postgres user. The flaw is triggered by sending specially crafted parameters—specifically the interval or order fields—to the application, which are then improperly handled, leading to arbitrary code execution within the context of the database service.

The vulnerability is network-exploitable, meaning an attacker with the necessary credentials can exploit it remotely without requiring physical access or user interaction. The attack vector leverages the application's parameter parsing logic, which fails to adequately sanitize or validate input from privileged users. This results in a scope change, as the attacker can escalate from application-level privileges to full control over the underlying database service, potentially leading to lateral movement, data exfiltration, or destruction of backup data.

The CVSS v3.1 base score of 9.0 reflects the high impact and exploitability of this vulnerability. The attack complexity is low for an adversary with the required privileges, and the impact includes complete compromise of the Veeam Backup & Replication server as the postgres user. This could allow for further privilege escalation, manipulation or deletion of backup data, and disruption of disaster recovery operations.

In addition to CVE-2025-59470, the latest patch release (version 13.0.1.1071) addresses several related vulnerabilities, including CVE-2025-55125 (RCE as root via malicious backup configuration file, CVSS 7.2), CVE-2025-59468 (RCE as postgres via malicious password parameter, CVSS 6.7), and CVE-2025-59469 (arbitrary file write as root, CVSS 7.2). These issues further highlight the importance of maintaining up-to-date software and restricting privileged access.

The vulnerability affects Veeam Backup & Replication version 13.0.1.180 and all earlier version 13 builds. Versions 12.x and older are not affected. The patched version is 13.0.1.1071, which includes fixes for all known issues described in the vendor's advisory.

From a technical perspective, the exploitation path involves an authenticated, highly privileged user sending maliciously crafted parameters to the backup server. The server's backend processes these parameters without sufficient validation, resulting in the execution of attacker-controlled code as the postgres user. This could be leveraged to manipulate backup data, install persistent backdoors, or facilitate further attacks within the environment.

The vulnerability aligns with several MITRE ATT&CK techniques, including T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter), and T1569.002 (System Services: Service Execution). These techniques are commonly used by advanced threat actors to gain and maintain access to critical infrastructure.

Exploitation in the Wild

As of the publication of this advisory, there are no confirmed reports of exploitation of CVE-2025-59470 in the wild. No public proof-of-concept exploit code has been identified on major repositories such as GitHub, Exploit-DB, or security research forums. Both Veeam and independent cybersecurity news outlets, including The Hacker News, have confirmed the absence of active exploitation or public exploit tools.

However, the history of Veeam vulnerabilities demonstrates that once technical details or exploit code become available, threat actors—including ransomware operators and advanced persistent threat (APT) groups—are quick to weaponize such flaws. Previous vulnerabilities in Veeam Backup & Replication have been targeted in high-profile attacks, leading to data loss and operational disruption for affected organizations.

Given the criticality of the vulnerability and the privileged access required, organizations should not assume that the lack of current exploitation equates to safety. The window between disclosure and exploitation is often short, especially for widely deployed enterprise backup solutions.

APT Groups using this vulnerability

At this time, there is no public evidence or intelligence linking any specific APT groups or cybercriminal organizations to the exploitation of CVE-2025-59470. No threat intelligence feeds, vendor reports, or open-source intelligence (OSINT) sources have attributed active campaigns to this vulnerability.

Nevertheless, it is important to note that Veeam Backup & Replication is a high-value target for APT groups due to its central role in enterprise data protection and disaster recovery. In the past, APT groups such as FIN7, Conti, and other ransomware operators have targeted backup infrastructure to maximize the impact of their attacks. The privileged access required for exploitation means that insider threats or compromised administrative accounts could be leveraged in future campaigns.

Organizations should remain vigilant and monitor for emerging threat intelligence related to this vulnerability, as the situation may evolve rapidly once exploit code becomes available or threat actors begin reconnaissance for vulnerable systems.

Affected Product Versions

The following product versions are affected by CVE-2025-59470: Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds, including 13.0.1.x and 13.0.0.x. Versions 12.x and older are not affected by this vulnerability. The issue is fully remediated in Veeam Backup & Replication 13.0.1.1071 and later releases.

Organizations running any version of Veeam Backup & Replication 13 prior to 13.0.1.1071 are at risk and should prioritize immediate patching. It is essential to verify the current version deployed in your environment and consult the official Veeam advisory for detailed upgrade instructions.

Workaround and Mitigation

The primary mitigation for CVE-2025-59470 is to upgrade to Veeam Backup & Replication version 13.0.1.1071 or later. This release includes patches for all known vulnerabilities described in the vendor's advisory. Organizations should follow best practices for change management and ensure that backups are tested and verified prior to applying updates.

In addition to patching, organizations should restrict the assignment of Backup Operator and Tape Operator roles to only the most trusted personnel. Regularly review and audit privileged accounts to ensure that access is limited to those with a legitimate business need. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for all administrative accounts.

Network segmentation is also critical. Veeam Backup & Replication servers should be isolated from untrusted networks and accessible only by necessary personnel. Monitor network traffic for unusual activity, particularly connections to and from the backup server.

Continuous monitoring of audit logs is recommended to detect suspicious activity by privileged accounts. Look for unexpected job executions, unauthorized changes to backup configurations, or processes running as the postgres user. While no specific indicators of compromise (IOCs) have been published for this vulnerability, these behaviors may signal attempted or successful exploitation.

If immediate patching is not possible, consider temporarily disabling or restricting access to the backup server for all but essential personnel until the update can be applied. However, this is not a substitute for applying the official patch.

References

For further technical details and official guidance, consult the following resources:

Veeam KB4792: Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071

The Hacker News: Veeam Patches Critical RCE Vulnerability with CVSS 9.0 in Backup & Replication

MITRE ATT&CK Framework

NVD Entry for CVE-2025-59470 (when available)

Rescana is here for you

At Rescana, we understand the critical importance of securing your third-party and supply chain ecosystem. Our TPRM platform empowers organizations to continuously monitor, assess, and manage cyber risk across their vendor landscape, providing actionable intelligence and automated workflows to reduce exposure. While this advisory focuses on a specific vulnerability in Veeam Backup & Replication, our platform is designed to help you stay ahead of emerging threats and maintain resilience in the face of evolving cyber risks.

If you have any questions about this advisory or require assistance with your cybersecurity program, our team is here to help. Please contact us at ops@rescana.com.