Veeam has launched critical security patches for its Backup and Replication software to fix several vulnerabilities, the most severe of which allows for remote code execution. These flaws affect version 13.0.1.180 and earlier, making it essential for administrators to update to version 13.0.1.1071 to prevent potential unauthorized system access.
The most significant vulnerability is identified as CVE-2025-59470 and holds a high severity rating due to its potential for remote code execution. This specific flaw allows individuals with Backup or Tape Operator roles to execute commands as the postgres user by submitting malicious parameters. While the technical score for this risk is quite high, the company suggests the real-world danger is mitigated if organizations are already following established security best practices for privileged accounts.
In addition to the primary flaw, three other security issues were identified that could allow users with specific administrative roles to escalate their influence. These include vulnerabilities that could lead to remote code execution as a root user or the ability to write files with elevated permissions. Each of these secondary issues requires a certain level of existing access, such as being a Backup Administrator or Tape Operator, but they still represent a significant gap in the software's defensive architecture.
The affected roles, specifically Backup and Tape Operators, already hold substantial power within a network, including the ability to manage backup jobs, export data, and handle physical tape media. Because these roles are inherently privileged, security experts emphasize that they should always be closely monitored. The discovery of these vulnerabilities underscores the danger of how these trusted roles could be leveraged by an attacker to gain deeper control over the underlying server infrastructure.
Veeam has confirmed that all identified flaws impact various builds of version 13 and has urged users to move to the latest patched release immediately. Although there have been no confirmed reports of these specific bugs being used in active attacks, the company notes that its software is frequently targeted by malicious actors. Promptly applying these updates is considered a critical step in maintaining the integrity of an organization's backup environment and overall data security.
Source: Veeam Patches Critical RCE Flaw In Backup And Replication
The CVE-2025-59470 detail is pretty concerning for shops running these backup roles. What's interesting is the Backup Operator access beingthe attack vector since that role already has serious reach over data exports and job managment. From my experience, most orgs underestimate privilege escalation risks from these "trusted" positions until something actually breaks.