Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability.
Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds.
“This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter,” Veeam explained in a Tuesday advisory.
However, the information technology company adjusted its rating to high severity because it can only be exploited by attackers with the Backup or Tape Operator roles.
“The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such. Following Veeam’s recommended Security Guidelines further reduces the opportunity for exploitability,” it added.
Veeam released version 13.0.1.1071 on January 6 to patch CVE-2025-59470 and address two other high-severity (CVE-2025-55125) and medium-severity (CVE-2025-59468) vulnerabilities that enable malicious backup or tape operators to gain remote code execution by creating a malicious backup configuration file or sending a malicious password parameter, respectively.
Veeam’s Backup & Replication (VBR) enterprise data backup and recovery software helps create copies of critical data and applications that can be quickly restored following cyberattacks, hardware failures, or disasters.
Veeam flaws targeted by ransomware gangs
VBR is particularly popular among mid-sized to large enterprises and managed service providers, but it’s also often targeted by ransomware gangs, since it can serve as a quick pivot point for lateral movement within victims’ environments.
Ransomware gangs have previously told BleepingComputer that they always target victims’ VBR servers because it simplifies data theft and makes it easy to block restoration efforts by deleting backups before deploying ransomware payloads.
The Cuba ransomware gang and the financially motivated FIN7 threat group (which had previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs) have also been linked to attacks targeting VBR vulnerabilities in the past.
More recently, Sophos X-Ops incident responders revealed in November 2024 that Frag ransomware exploited another VBR RCE vulnerability (CVE-2024-40711) disclosed two months earlier. The same security flaw was also used in Akira and Fog ransomware attacks targeting vulnerable Veeam backup servers starting in October 2024.
Veeam’s products are used by over 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.