Veeam fixes 4 vulnerabilities in Backup & Replication that enable RCE

Threat summary

On January 6, 2026, Veeam released version 13.0.1.1071 of Veeam Backup & Replication, a widely deployed backup and disaster recovery software used to protect virtual machines, cloud workloads, and physical systems.

The new version addresses four security vulnerabilities.

The first, CVE-2025-59470, allows a user with Backup Operator or Tape Operator access to achieve remote code execution (RCE) as the postgres user. This provides access to the backup server’s database layer and could enable manipulation of backup data or lateral movement. Veeam initially assigned the vulnerability a CVSS score of 9.0, later adjusting the severity to High due to the privileged access requirement.

The other three flaws also enable RCE through crafted configuration files or malicious password parameters:

• CVE-2025-55125 allows a Backup Operator or Tape Operator to perform RCE as root by creating a malicious backup configuration file. Severity: High (CVSS 7.2)
• CVE-2025-59468 allows a Backup Administrator to perform RCE as the postgres user by sending a malicious password parameter. Severity: Medium (CVSS 6.7)
• CVE-2025-59469 allows a Backup Operator or Tape Operator to write files as root. Severity: High (CVSS 7.2)

The flaws affect organizations running version 13.0.1.180 and earlier version 13 builds.

Insights & mitigations

These vulnerabilities are not trivial to exploit because they require the threat actor to already have a privileged Veeam role, such as:

• Backup Operator
• Tape Operator
• Backup Administrator

These roles are typically assigned to IT staff, help‑desk technicians, or operations personnel who need to run or monitor backups but should not have full administrative privileges. They are intentionally limited so organizations can separate duties and reduce risk.

CVE‑2025‑59470 essentially represents an authenticated privilege escalation, where a threat actor who already holds one of the above roles can elevate their access to the postgres account. The postgres user has full administrative control over all databases, tables, and metadata. In many deployments, the PostgreSQL service also runs under a system account named postgres, giving it complete authority over the database layer.

Because Veeam stores critical configuration, job metadata, repository information, and encrypted credentials in PostgreSQL, RCE as the postgres user enables an attacker to manipulate or corrupt backup metadata, alter job configurations, delete records, or potentially pivot deeper into the backup infrastructure. The flaw could lead to a high-impact compromise because the database is central to the integrity of backup and recovery operations.

Backup infrastructure remains a strategic target for ransomware operators, and misuse of privileged roles or compromise of operator credentials continues to represent a realistic threat vector.

The primary mitigation is to upgrade to Veeam Backup & Replication version 13.0.1.1071, which contains fixes for all four vulnerabilities. Additional mitigations include restricting operator-level roles, tightening access controls, monitoring for abuse, and isolating backup infrastructure.

Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment, providing clear guidance on steps recommended to mitigate the threat.

Field Effect MDR helps mitigate this threat by continuously monitoring for abnormal behavior across endpoints, networks, and cloud services, allowing it to quickly detect and respond to the kinds of actions a threat actor would take to exploit these vulnerabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up