14/69 Friday, January 9, 2026
Veeam has released security updates to address multiple vulnerabilities in Veeam Backup & Replication, including a critical issue tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability could allow remote code execution (RCE), enabling users assigned the Backup or Tape Operator roles to execute arbitrary code as the postgres user by abusing specially crafted parameters such as interval or order. The issue was discovered through Veeam’s internal security testing.
Although the Backup and Tape Operator roles are considered restricted, Veeam noted that they still possess elevated privileges within the system. When recommended security best practices are properly implemented, the likelihood of exploitation can be reduced, which led Veeam to downgrade the severity classification to High. Nevertheless, the company strongly recommends that organizations apply the available updates to mitigate the risk.
In addition, Veeam has fixed three other security vulnerabilities, including:
- CVE-2025-55125 (CVSS 7.2): A vulnerability that allows remote code execution as root via a malicious backup file
- CVE-2025-59468 (CVSS 6.7): A flaw enabling code execution as the postgres user through the password management mechanism
- CVE-2025-59469 (CVSS 7.2): A vulnerability that allows arbitrary file writes with root privileges
All of these issues have been resolved in Veeam Backup & Replication version 13.0.1.1071. At this time, there is no confirmed evidence that these vulnerabilities are being actively exploited. Veeam advises users to upgrade to the latest version as soon as possible to strengthen the security of their backup and recovery environments.
