Veeam has released security updates to address four vulnerabilities in its Backup & Replication software, including one flaw assigned a critical CVSS score of 9.0.
The most severe issue, tracked as CVE-2025-59470, could allow a “Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.”
“Backup and Tape Operator roles are considered highly privileged roles and should be protected as such,” Veeam wrote in an advisory published Tuesday. These roles are able to export, copy and create backups and tapes, according to Veeam documentation.
As a result, Veeam said it is treating the vulnerability as high severity, despite its critical CVSS rating, noting that the opportunity for exploitation is reduced when customers follow the company’s recommended Security Guidelines .
In addition to CVE-2025-59470, Veeam addressed three other vulnerabilities in the same product:
- CVE-2025-55125 (CVSS 7.2, high severity), which could allow a Backup or Tape Operator to achieve RCE as root by creating a malicious backup configuration file
- CVE-2025-59469 (CVSS 7.2, high severity), which could allow an operator to write arbitrary files to the system as root
- CVE-2025-59468 (CVSS 6.7, medium severity), which could allow a Backup Administrator to perform RCE as the postgres user via a malicious password parameter
The vulnerabilities were identified internally by Veeam’s research team and affect Backup & Replication version 13.0.1.180 and all earlier builds in the 13.x release line.
They have been resolved in version 13.0.1.1071, and administrators are advised to apply the update as soon as possible.
While there is no suggestion these vulnerabilities have been exploited in the wild, backups are high-value targets for ransomware attacks due to the sensitive data they can contain.
