Veeam patches Backup & Replication vulnerabilities, urges users to update

Veeam has released security updates for four security flaws in its Backup & Replication software.

Veeam Backup & Replication is the backup and recovery engine of Veeam Data Platform, and provides backup, recovery, and replication for virtual, physical, and cloud workloads.

The company claims to have 67% of Global 2000 firms as customers, including Shell, Airbus and Mondelez International, as well as Managed Service Providers (MSPs) offering backup services.

The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions. In other words, the vulnerabilities affect 12.x and older.

The Veeam vulnerabilities explained

The first, CVE-2025-59470, has had its severity adjusted to high, with a CVSS score of 9.0. This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Previously rated as critical, its severity was downgraded thanks to the fact that Backup and Tape Operator roles are highly privileged and because security guidelines lowers exploitability.

CVE-2025-55125 is also rated high in severity, with a CVSS score of 7.2. This allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.

The medium-severity CVE-2025-59468, meanwhile, allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.

Finally, CVE-2025-59469, with a CVSS score of 7.2, allows a Backup or Tape Operator to write files as root.

Backup systems are prime targets for hackers

Shane Barney, CISO at Keeper Security, said backup systems are a “consistent target” for cyber criminals largely due to the fact they have “broad access across infrastructure”.

"If an attacker gains control of one of these privileged roles – whether through credential theft, misconfiguration or insider misuse – vulnerabilities like this can be used to execute code and weaken an organization’s ability to recover from an attack,” he said.

All the flaws were discovered through internal testing and there's no evidence that they've been exploited in the wild. The company has now released a new version of the software, 13.0.1.1071, to address the vulnerabilities.

Organizations are advised to update immediately. However, they should also work to avoid the risks in the first place, said Barney, by tightly controlling and monitoring privileged access.

"Veeam acted appropriately by disclosing and patching the issue, but the broader lesson for organizations is that patching alone isn’t enough," he said.

"Backup operator accounts should be treated as the most sensitive class of privileged access, with strict access controls, continuous monitoring and minimal standing permissions. When privileged access is tightly governed, the real-world impact of vulnerabilities like this is significantly reduced."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.