Overview
- CVE-2025-59470, rated CVSS 9.0, allows a Backup or Tape Operator to execute code as the postgres user by sending malicious interval or order parameters.
- All Backup & Replication 13.0.1.180 and earlier 13 builds are affected, with patches delivered in version 13.0.1.1071 released January 6.
- Veeam also fixed CVE-2025-55125 enabling RCE as root via a malicious backup configuration file, CVE-2025-59468 enabling RCE as postgres via a password parameter, and CVE-2025-59469 allowing file writes as root.
- Veeam classifies the primary flaw as high operational severity because Backup and Tape Operator roles are highly privileged and following its Security Guidelines reduces exploitability.
- The software has been targeted by ransomware groups in past incidents, which heightens the urgency for organizations to apply the updates promptly.