6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2025-59470 is a critical remote code execution vulnerability in Veeam Backup & Replication that allows users with Backup Operator or Tape Operator privileges to execute arbitrary code on the backup server. By submitting specially crafted parameter values to privileged backup-related operations, an attacker can trigger unintended command execution in the context of the highly privileged “postgres” service account. While exploitation requires authenticated access with elevated operator roles, successful abuse could enable full compromise of the backup infrastructure and downstream systems.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Remote Code Execution in Veeam Backup & Replication via Privileged Operator Roles
CVSS Score: 9.0 (Critical, CVSS v3.1)
Identifier: CVE-2025-59470
Exploit or Proof of Concept (PoC):
There are currently no confirmed reports of active exploitation in the wild. The vulnerability was identified during internal testing by Veeam and disclosed through a coordinated security update.
Update/ Patch:
Veeam has released fixes for CVE-2025-59470 as part of a security update for Veeam Backup & Replication.
Customers should review and apply the guidance in the official Veeam Knowledge Base article:
The vulnerability is remediated in Veeam Backup & Replication version 13.0.1.1071 and later. All affected deployments should be upgraded to a fixed version as soon as possible.
Description:
CVE-2025-59470 is a remote code execution vulnerability in Veeam Backup & Replication that allows a user with Backup Operator or Tape Operator permissions to execute arbitrary code as the "postgres" user on the system. The weakness is triggered through specially crafted parameter values submitted to privileged backup-related operations, which results in unintended execution of commands in a highly privileged service context.
Mitigation Recommendation:
Apply the security update referenced in Veeam KB4792 and upgrade all affected Backup & Replication servers to version 13.0.1.1071 or later.
Restrict assignment of Backup Operator and Tape Operator roles to the minimum required personnel and review membership of these roles for unnecessary accounts.
Limit network access to Veeam management interfaces and services to trusted administrative networks or VPN-only access.
Enable and regularly review logs for unusual operator activity, unexpected parameter changes, or suspicious execution behavior associated with backup jobs.
