Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

RCE in Veeam Backup & Replication via interval/order parameter

IdentifiersCVE-2025-59470CWE-77· Improper Neutralization of Special…

CVE-2025-59470 is a command injection / remote code execution vulnerability in Veeam Backup & Replication Version 13. The flaw allows a user assigned the Backup Operator or Tape Operator role to execute arbitrary commands as the postgres user by supplying a malicious interval or order parameter to the application. NVD classifies the issue as CWE-77 and assigns CVSS v3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. Affected versions are Veeam Backup & Replication 13 builds from 13.0.0.4967 inclusive up to 13.0.1.1071 exclusive; multiple sources also describe the affected range as 13.0.1.180 and earlier within the 13.x branch. Veeam states versions 12.x and older are not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides authenticated remote code execution on the Veeam backup server in the security context of the postgres user. This can enable compromise of the Veeam PostgreSQL database, tampering with backup-management data, disruption of backup operations, and potentially follow-on lateral movement or broader compromise depending on host configuration and local privilege relationships. Confidentiality and integrity impact are high; availability impact is lower but backup services and related data may be disrupted or corrupted.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict assignment and use of Backup Operator and Tape Operator roles to only fully trusted personnel, enforce least privilege, and limit network access to the Veeam server to essential administrative paths only. Monitor audit and application logs for suspicious use of interval or order parameters and other anomalous operator activity. Additional hardening measures noted in supporting content include MFA for administrative accounts and network segmentation/isolation of backup infrastructure from untrusted networks.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to version 13.0.1.1071 or later. Veeam’s vendor guidance references KB4792 for the fixed release and associated security update details. Systems running Version 13 prior to 13.0.1.1071 should be treated as vulnerable. Versions 12.x and older are reported as not affected.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
CVE-2025-59470-PostgreSQL-Command-InjectionMaturityPoCVerified exploit

Repository contains a minimal proof-of-exploitation for a command injection vulnerability in PostgreSQL’s pg_backup extension affecting PostgreSQL 15.x (<15.7) and 16.x (<16.3). Structure: - README.md: States affected versions and describes unsanitized user-supplied parameters in pg_backup leading to OS command execution as the PostgreSQL user. - exploit.py: Python script using psycopg2 to authenticate to a PostgreSQL instance (host "target", db "postgres", user "backup_operator") and call pg_backup() with a crafted argument that appends a shell command using ';'. The included payload attempts a bash reverse shell to 192.168.1.10:4444. - exploit.sql: Standalone SQL demonstrating the same injection technique, using curl to download and execute http://attacker.com/backdoor.sh. Capabilities: - Remote exploitation over the PostgreSQL protocol using valid credentials. - Arbitrary command execution on the database host via argument injection into pg_backup. - Demonstrated post-exploitation actions: reverse shell callback and remote script download/execute. Notable observables/fingerprintable targets: - Reverse shell endpoint: 192.168.1.10:4444 - HTTP payload host: http://attacker.com/backdoor.sh - Local paths used in payloads: /tmp and /dev/tcp/192.168.1.10/4444

George0PapasotiriouDisclosed Feb 10, 2026pythonsqlnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Veeam SoftwareVeeam Backup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

42 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Veeam Backup & Replication RCE allowing Backup/Tape Operator role to execute code as postgres user.

Read more
blackpoint cyberNews
Feb 11, 2026
Vulnerability Review - January 2026 - Blackpoint

Command injection vulnerability in Veeam Backup & Replication that could enable arbitrary code execution and potentially full system compromise for users with backup/tape operator access; not reported actively exploited.

Read more
register securityNews
Jan 11, 2026
Meta admits to Instagram password reset mess, denies data leak

A high-severity Veeam vulnerability that allows a privileged role (Backup or Tape Operator) to achieve remote code execution by supplying malicious parameters (interval/order), enabling attackers with post-compromise access to escalate impact within backup infrastructure.

Read more
rescana blogNews
Jan 11, 2026
Critical RCE Vulnerability (CVE-2025-59470) in Veeam Backup & Replication: Patch Released to Prevent Exploitation

A critical remote code execution vulnerability in Veeam Backup & Replication that allows users with Backup Operator or Tape Operator privileges to execute arbitrary code as the postgres user via network vectors, potentially leading to full compromise of the backup server.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity27

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-59470
NVD
nvd.nist.gov/vuln/detail/CVE-2025-59470
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
Vendor Advisory
veeam.com/kb4792