Veeam patches Backup & Replication vulnerabilities, urges users to update
The flaws could allow remote code execution, Veeam has warned
Veeam has released security updates for four security flaws in its Backup & Replication software.
Veeam Backup & Replication is the backup and recovery engine of Veeam Data Platform, and provides backup, recovery, and replication for virtual, physical, and cloud workloads.
The company claims to have 67% of Global 2000 firms as customers, including Shell, Airbus and Mondelez International, as well as Managed Service Providers (MSPs) offering backup services.
The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions. In other words, the vulnerabilities affect 12.x and older.
The Veeam vulnerabilities explained
The first, CVE-2025-59470, has had its severity adjusted to high, with a CVSS score of 9.0. This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
Previously rated as critical, its severity was downgraded thanks to the fact that Backup and Tape Operator roles are highly privileged and because security guidelines lowers exploitability.
CVE-2025-55125 is also rated high in severity, with a CVSS score of 7.2. This allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
The medium-severity CVE-2025-59468, meanwhile, allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.
Finally, CVE-2025-59469, with a CVSS score of 7.2, allows a Backup or Tape Operator to write files as root.
Backup systems are prime targets for hackers
Shane Barney, CISO at Keeper Security, said backup systems are a “consistent target” for cyber criminals largely due to the fact they have “broad access across infrastructure”.
"If an attacker gains control of one of these privileged roles – whether through credential theft, misconfiguration or insider misuse – vulnerabilities like this can be used to execute code and weaken an organization’s ability to recover from an attack,” he said.
All the flaws were discovered through internal testing and there's no evidence that they've been exploited in the wild. The company has now released a new version of the software, 13.0.1.1071, to address the vulnerabilities.
Organizations are advised to update immediately. However, they should also work to avoid the risks in the first place, said Barney, by tightly controlling and monitoring privileged access.
"Veeam acted appropriately by disclosing and patching the issue, but the broader lesson for organizations is that patching alone isn’t enough," he said.
"Backup operator accounts should be treated as the most sensitive class of privileged access, with strict access controls, continuous monitoring and minimal standing permissions. When privileged access is tightly governed, the real-world impact of vulnerabilities like this is significantly reduced."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023