Critical Vulnerabilities Patched in Veeam Backup & Replication Software
Veeam has released security updates for its Backup & Replication software, addressing four significant vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability allows users with Backup or Tape Operator roles to execute arbitrary code as the postgres user by sending malicious parameters, posing a high risk due to the elevated privileges of these roles. Additional vulnerabilities addressed include CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469, which could allow RCE as root or the postgres user, or enable file writes as root. All issues affect Veeam Backup & Replication version 13.0.1.180 and earlier, and have been resolved in version 13.0.1.1071.
Veeam has emphasized the importance of following its security guidelines to reduce exploitation risk, although there is no evidence of these vulnerabilities being exploited in the wild at this time. Security advisories from both Veeam and the Canadian Centre for Cyber Security urge users and administrators to review the official documentation and apply the necessary updates immediately to mitigate potential threats. Organizations are advised to ensure that only trusted personnel have access to privileged operator roles and to update their systems without delay.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges users to apply Veeam updates
On January 7, 2026, the Canadian Centre for Cyber Security issued advisory AV26-008 highlighting Veeam's patched vulnerabilities and recommending that organizations review Veeam guidance and update affected systems. The notice reiterated that all versions before 13.0.1.1071 are impacted.
Veeam releases advisory and patches for Backup & Replication flaws
On January 6, 2026, Veeam published a security advisory and released fixes for four vulnerabilities in Veeam Backup & Replication, including the critical RCE flaw CVE-2025-59470. The issues affect versions prior to 13.0.1.1071, and Veeam made version 13.0.1.1071 available as the patched release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication v13
Veeam Software disclosed and patched four critical vulnerabilities in its Backup & Replication v13 product, including a remote code execution (RCE) flaw rated CVSS 9.0 (CVE-2025-59470) that allows Backup or Tape Operators to execute arbitrary code as the PostgreSQL user by abusing interval or order parameters. Additional vulnerabilities include CVE-2025-55125, which enables RCE as root via a malicious backup configuration file, CVE-2025-59468 for RCE as the PostgreSQL user through a password parameter, and CVE-2025-59469 for arbitrary file write as root. These flaws were discovered during internal testing and have been addressed in build 13.0.1.1071, with Veeam urging immediate upgrades to mitigate risk. The vulnerabilities specifically affect Veeam Backup & Replication v13.0.1.180 and earlier v13 builds, while versions 12.x and older are not impacted. Veeam highlighted that the affected operator roles are highly privileged, and following security guidelines can reduce exploitability, which led to some severity downgrades. There is currently no evidence of exploitation in the wild, but the risk of attackers reverse-engineering patches to target unpatched systems is significant. Organizations are advised to update promptly and restrict operator role assignments to trusted personnel to minimize exposure.
Mar 21, 2026
Critical RCE and Privilege-Escalation Vulnerabilities Patched in Veeam Backup & Replication
**Veeam** released security updates for *Veeam Backup & Replication (VBR)* addressing multiple vulnerabilities, including **four critical remote code execution (RCE) flaws** that could allow code execution on backup servers under certain access conditions. Reported issues include RCE paths for low-privileged domain users (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669) and an additional RCE scenario where a Backup Viewer could achieve code execution as the `postgres` user (CVE-2026-21708). Veeam also fixed several high-severity issues enabling actions such as privilege escalation on Windows-based VBR servers, extraction of saved SSH credentials, and bypassing restrictions to manipulate arbitrary files on a Backup Repository. The Canadian Centre for Cyber Security relayed Veeam’s advisory and urged organizations to apply updates, noting affected branches as VBR 12 and 13 prior to fixed releases. Veeam’s fixes are available in **Veeam Backup & Replication 12.3.2.4465** and **13.0.1.2067**, and the vendor warned that attackers commonly reverse-engineer patches shortly after release to target unpatched deployments—an elevated concern given VBR’s frequent targeting in ransomware operations. Other Canadian Centre advisories in the same period covered unrelated vendor updates (e.g., ABB, GitHub, Splunk, JetBrains, Hitachi, VMware, Fortinet, Mozilla) and do not describe the Veeam RCE issue.
Mar 21, 2026
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026