Veeam has released a critical security update for its Backup & Replication software to address multiple high-severity vulnerabilities.
The most concerning of these flaws could allow attackers to execute remote code with root-level privileges, potentially granting them full control over affected systems.
These vulnerabilities specifically affect Veeam Backup & Replication version 13.0.1.180 and all earlier version 13 builds.
Veeam has confirmed that previous versions, including the widely used 12.x branch, are not impacted by these issues.
Technical Risks
The disclosed vulnerabilities were discovered during internal testing and pose significant risks to backup infrastructure.
The flaws allow authenticated users with specific roles such as Backup or Tape Operators to escalate their privileges.
One critical flaw, CVE-2025-59470, carries a CVSS score of 9.0 (Critical). It enables a Backup or Tape Operator to execute remote code as a postgres user by manipulating interval parameters.
However, Veeam has adjusted the severity rating to “High” because exploitation requires access to highly privileged roles, which should already be restricted in a secure environment.
Another severe issue, CVE-2025-55125, allows operators to achieve Remote Code Execution (RCE) as root by crafting a malicious backup configuration file.
| CVE ID | Severity | CVSS Score | Description |
| CVE-2025-55125 | High | 7.2 | Allows Backup/Tape Operators to perform RCE as root via malicious config files. |
| CVE-2025-59468 | Medium | 6.7 | Allows Backup Admins to perform RCE as postgres user via malicious password parameters. |
| CVE-2025-59469 | High | 7.2 | Allows Backup/Tape Operators to write files as root. |
| CVE-2025-59470 | High | 9.0 | Allows Backup/Tape Operators to perform RCE as postgres user via malicious parameters. |
Veeam urges all customers running version 13 to update immediately to prevent potential exploitation. These vulnerabilities have been resolved in the following build:
- Fixed Version: Veeam Backup & Replication 13.0.1.1071
Administrators should download the update from the official Veeam Knowledge Base (KB4738) and review their user role assignments to ensure least-privilege access is enforced.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.