Critical RCE in Veeam Backup & Replication: CVE-2025-59470

Critical remote code execution vulnerability CVE-2025-59470 affects Veeam Backup & Replication, allowing authenticated Backup or Tape Operators to execute code as the postgres user through malicious interval or order parameters.

Technical Breakdown

Veeam assigns this flaw a CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), rating it as high severity despite the critical score due to privileged access requirements and alignment with their security guidelines. Discovered internally, the vulnerability enables RCE without user interaction but demands high-privilege roles typically restricted in hardened environments. No public exploits exist as of January 8, 2026, though the backup server’s role in critical infrastructure elevates risks.

Scope and Impact

Vulnerable versions include all Veeam Backup & Replication 13 builds before 13.0.1.1071, such as 13.0.1.180 and earlier; version 12.x remains unaffected. Exploitation could compromise backup integrity, leading to data tampering, ransomware deployment, or lateral movement in enterprise networks. Organizations in healthcare, finance, and government face heightened threats given Veeam’s prevalence in backup operations.

Remediation Steps

• Immediate Patch: Upgrade to Veeam Backup & Replication 13.0.1.1071, released January 6, 2026, which addresses CVE-2025-59470 alongside related flaws (CVE-2025-55125, CVE-2025-59468, CVE-2025-59469).
• Privilege Hardening: Strictly limit Backup and Tape Operator roles per Veeam’s security guidelines; prefer least-privilege access.
• Monitoring: Scan logs for suspicious parameter manipulations and deploy network segmentation to isolate backup servers.