Veeam Patches Critical vulnerabilities Allowing Potential Remote Code Execution
Table of Contents
Four security flaws in Veeam backup and replication software could allow attackers with specific credentials to execute code remotely.A patch is available to address these issues.
Published: November 21, 2023 at 1:48 PM PST
- Veeam released a patch, version 13.0.1.1071, to address four vulnerabilities.
- The most critical flaw, CVE-2025-59470, has a CVSS score of 9 and allows remote code execution.
- Attackers would need valid credentials for roles like Backup or Tape Operator to exploit these vulnerabilities.
- While concerning,Veeam states that the core backup data itself is not at risk.
A newly released security update from Veeam addresses four vulnerabilities that could allow attackers to gain control of systems running the popular data protection software. The most severe, identified as CVE-2025-59470, carries a critical CVSS score of 9 and permits a Backup or Tape Operator to execute malicious code remotely by manipulating interval or order parameters. This means a compromised account with those permissions could potentially wreak havoc.
Understanding the Vulnerabilities
The vulnerabilities discovered impact Veeam’s ability to securely manage backups. CVE-2025-59469, with a severity score of 7.2,allows a Backup or Tape Operator to write files as root,essentially granting them unrestricted access to the system. Another flaw, CVE-2025-55125 (also 7.2), enables remote code execution as root through a maliciously crafted backup configuration file. CVE-2025-59468 (6.7) allows a Backup Administrator to execute code remotely as the Postgres user by submitting a malicious password parameter.
The patch to version 13.0.1.1071 is designed for “easy installation” and shouldn’t disrupt existing operations, according to company representatives. As of Tuesday afternoon, Veeam reported no known instances of these vulnerabilities being actively exploited.
“The good news is, if a Veeam server is broken, we can create a new server right away – presumably with this patch installed – import the backups and carry on. The core data is entirely unimpacted by this,” a company spokesperson said. “The worst type of thing would be the [backup] environment isn’t working right or the Postgres database is messed up on the Veeam server, so jobs might not behave in a way one might expect.”
Administrators utilizing the Veeam One monitoring suite will receive alerts if backup jobs fail or are unable to connect to the server,providing an early warning system for potential issues.
Credential Management is Key
While the vulnerabilities are serious, Johannes Ullrich, dean of research at the SANS Institute, noted that exploiting them requires valid credentials for specific roles. “The four vulnerabilities being patched are less severe than some becuase an attacker, internal or external, would need valid credentials for the three specific roles,” he explained.
However, Ullrich cautioned that backup systems are prime targets for attackers, notably those deploying ransomware, who often attempt to erase backups to maximize their leverage. “Backup systems should be regularly audited to ensure that access rights, such as those mentioned in this vulnerability, are properly managed and only accessible to users who actually need them,” he said. “Authentication credentials should be reviewed to ensure they comply with the respective standards.”
What if a backup system is compromised? Regular audits of access rights and strong authentication practices are essential to protect critical data.
