Veeam resolves CVSS 9.0 RCE flaw and other security issues - Security Affairs

Home Breaking News Security Veeam resolves CVSS 9.0 RCE flaw and other security issues VEEAM RESOLVES CVSS 9.0 RCE FLAW AND OTHER SECURITY ISSUES Pierluigi Paganini January 07, 2026 Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities. Veeam released patches for multiple Backup & Replication flaws, including a critical RCE vulnerability tracked as CVE-2025-59470 (CVSS score of 9.0). A Backup or Tape Operator can achieve remote code execution as the postgres user by abusing malicious interval or order parameters. “This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.” reads the advisory. A Veeam Tape Operator is a limited Veeam Backup & Replication user role designed to manage tape-based backup operations without full administrative privileges. The vulnerability was discovered during internal testing. The vendor said Backup and Tape Operator roles are highly privileged, and following security guidelines lowers exploitability, so the issue was downgraded to High severity. Veeam also patched three vulnerabilities: RCE as root via malicious backup (CVE‑2025‑55125, CVSS score of 7.2), RCE as postgres via password (CVE‑2025‑59468, CVSS score of 6.7), and file write as root (CVE‑2025‑59469, CVSS score of 7.2). Veeam Backup & Replication 13.0.1.1071 addressed the vulnerabilities. At this time, it is unclear whether one of the above flaws is being exploited in attacks in the wild. In March 2025, the vendor addressed a critical vulnerability, tracked as CVE-2025-23120 (CVSS score of 9.9), impacting its Backup & Replication software that could lead to remote code execution. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, RCE) FACEBOOK LINKEDIN TWITTER Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Veeam NEWSLETTER Subscribe to my email list and stay up-to-date! RECENT ARTICLES Russia-linked APT uses DRILLAPP backdoor to spy on Ukrainian targets MALWARE / March 16, 2026 We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie Settings