Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication v13
Veeam Software disclosed and patched four critical vulnerabilities in its Backup & Replication v13 product, including a remote code execution (RCE) flaw rated CVSS 9.0 (CVE-2025-59470) that allows Backup or Tape Operators to execute arbitrary code as the PostgreSQL user by abusing interval or order parameters. Additional vulnerabilities include CVE-2025-55125, which enables RCE as root via a malicious backup configuration file, CVE-2025-59468 for RCE as the PostgreSQL user through a password parameter, and CVE-2025-59469 for arbitrary file write as root. These flaws were discovered during internal testing and have been addressed in build 13.0.1.1071, with Veeam urging immediate upgrades to mitigate risk.
The vulnerabilities specifically affect Veeam Backup & Replication v13.0.1.180 and earlier v13 builds, while versions 12.x and older are not impacted. Veeam highlighted that the affected operator roles are highly privileged, and following security guidelines can reduce exploitability, which led to some severity downgrades. There is currently no evidence of exploitation in the wild, but the risk of attackers reverse-engineering patches to target unpatched systems is significant. Organizations are advised to update promptly and restrict operator role assignments to trusted personnel to minimize exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Veeam discloses the flaws and urges immediate upgrades
On January 7, 2026, Veeam publicly disclosed the patched vulnerabilities, highlighting CVE-2025-59470 as the most severe issue and noting that its severity was downgraded from critical to high because exploitation requires privileged roles. The company said there was no evidence of in-the-wild exploitation and advised customers to upgrade immediately and follow security best practices.
Veeam releases build 13.0.1.1071 to patch the vulnerabilities
On January 6, 2026, Veeam released Backup & Replication version 13.0.1.1071 to fix the four disclosed vulnerabilities affecting v13 builds. The company said version 12.x and older releases were not affected.
Veeam internally discovers four Backup & Replication v13 vulnerabilities
Veeam identified four security flaws in Veeam Backup & Replication v13, including CVE-2025-59470, CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469. The issues could enable remote code execution or file write actions by users with privileged operator roles.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Critical RCE in Veeam Backup & Replication: CVE-2025-59470
thecyberthrone.in
Open sourceVeeam Backup Vulnerabilities Enables Remote Code Execution as Root
cybersecuritynews.com
Open sourceVeeam resolves CVSS 9.0 RCE flaw and other security issues
securityaffairs.com
Open sourceNew Veeam vulnerabilities expose backup servers to RCE attacks
bleepingcomputer.com
Open sourceVeeam issues patch to close critical remote code execution flaw
cyberscoop.com
Open sourceHoles in Veeam Backup suite allow remote code execution, creation of malicious backup config files
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities Patched in Veeam Backup & Replication Software
Veeam has released security updates for its Backup & Replication software, addressing four significant vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability allows users with Backup or Tape Operator roles to execute arbitrary code as the `postgres` user by sending malicious parameters, posing a high risk due to the elevated privileges of these roles. Additional vulnerabilities addressed include CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469, which could allow RCE as root or the `postgres` user, or enable file writes as root. All issues affect Veeam Backup & Replication version 13.0.1.180 and earlier, and have been resolved in version 13.0.1.1071. Veeam has emphasized the importance of following its security guidelines to reduce exploitation risk, although there is no evidence of these vulnerabilities being exploited in the wild at this time. Security advisories from both Veeam and the Canadian Centre for Cyber Security urge users and administrators to review the official documentation and apply the necessary updates immediately to mitigate potential threats. Organizations are advised to ensure that only trusted personnel have access to privileged operator roles and to update their systems without delay.
Mar 21, 2026
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026
Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication
Veeam released a security advisory disclosing multiple vulnerabilities in its Veeam Backup & Replication and Veeam Agent for Microsoft Windows products. Two of the vulnerabilities, CVE-2025-48983 and CVE-2025-48984, were rated as critical with a CVSS score of 9.9, indicating a severe risk to affected systems. Both critical vulnerabilities reside in the Veeam Backup & Replication product and allow an authenticated domain user to execute arbitrary code on backup infrastructure hosts and the backup server, respectively. These flaws specifically impact Veeam Backup & Replication version 12.3.2.3617 and all earlier version 12 builds, but only on domain-joined backup servers. A third vulnerability, CVE-2025-48982, affects Veeam Agent for Microsoft Windows and allows for local privilege escalation if a system administrator is tricked into restoring a malicious file. This vulnerability impacts version 6.3.2.1205 and all earlier version 6 builds of the agent. The vendor has indicated that unsupported product versions have not been tested but are likely vulnerable and should be considered at risk. The vulnerabilities were disclosed on October 14, 2025, and security advisories were published the following day to alert users and administrators. CERT-EU and other security organizations have strongly recommended that organizations update affected software immediately to mitigate the risk of exploitation. In addition to patching, following Veeam's implementation best practices is advised to further reduce exposure. The vulnerabilities require an authenticated domain user for exploitation, which means that attackers would need valid credentials or access to a compromised account within the target environment. The potential impact of successful exploitation includes full remote code execution on critical backup infrastructure, which could lead to data theft, ransomware deployment, or destruction of backup data. The disclosure has raised concerns in the security community due to the critical nature of backup systems in organizational resilience and recovery. Security advisories have emphasized the urgency of remediation, given the high CVSS scores and the potential for significant operational disruption. Organizations are also advised to review their backup server configurations and restrict access to trusted users only. The vendor has provided detailed guidance and best practices for hardening Veeam deployments, including recommendations for both workgroup and domain-joined environments. The vulnerabilities highlight the ongoing risks associated with backup infrastructure and the importance of timely patch management. Security teams are urged to monitor for signs of exploitation and to ensure that all backup-related systems are included in vulnerability management programs. The incident underscores the need for layered security controls and regular review of privileged access within enterprise environments.
Mar 21, 2026