Veeam has released new security updates for its Backup & Replication software after discovering multiple vulnerabilities, including a serious leak that can be exploited for remote code execution (RCE).
The vulnerability as well as the patch were reported by BleepingComputer. The vulnerabilities affect backup servers, which play a key role in many organizations in recovery after incidents and cyberattacks.
The most impactful vulnerability is registered as CVE-2025-59470 and affects version 13 of Veeam Backup & Replication up to and including build 13.0.1.180. This vulnerability allows a user with specific rights to remotely execute code under the postgres account. The cause lies in insufficient validation of certain parameters processed by the software.
Although the vulnerability was initially rated as critical, Veeam later downgraded its severity to high, as exploitation is only possible for accounts with the roles of Backup Operator or Tape Operator. These are roles with extensive privileges, which should only be used in a limited and strictly controlled manner in a well-configured environment.
In early January, Veeam released version 13.0.1.1071, which addresses this vulnerability. Two other security issues were addressed in the same update. These include a high-impact vulnerability that allows exploitation via a manipulated backup configuration file and a medium-impact issue where a malicious parameter can lead to code execution. In all cases, an attacker must already have access to the backup environment.
Known vulnerabilities have been resolved
According to additional documentation from Veeam itself, all known vulnerabilities have been completely resolved in this new build. The issues only occur in version 13 up to and including build 13.0.1.180; earlier major versions of the software are not affected. Veeam emphasizes that the vulnerabilities arise from scenarios in which users with extensive rights can exploit insufficiently controlled input, which can result in code execution or system-level modifications. Although direct attacks from outside are not possible, the company considers abuse by an attacker who already has access to the network to be realistic.
Veeam Backup & Replication is used in many organizations as an enterprise solution for securing and restoring critical data and applications after cyber incidents, hardware failures, or other disasters. It is precisely because of this central role that Veeam servers have long been an attractive target for cybercriminals. Ransomware groups regularly target backup infrastructure explicitly, because successful access not only simplifies data theft, but can also sabotage recovery by deleting backups before ransomware is rolled out.
Researchers and incident responders have linked multiple attacks in the past to the exploitation of vulnerabilities in Veeam software. Both ransomware groups and financially motivated threat actors used such leaks to move laterally through networks. In 2024, it was also found that several ransomware families were actively exploiting a previously discovered vulnerability in Veeam Backup & Replication.