Remote Code Execution in Veeam Backup & Replication by Backup Operators
CVE-2025-59470

9CRITICAL

Key Information:

Vendor

Veeam
Status
Backup And Recovery
Vendor
CVE Published:
8 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2025-59470?

A vulnerability present in Veeam Backup & Replication enables Backup Operators to execute arbitrary commands with the privileges of the postgres user. This is possible through the manipulation of input parameters, allowing for potential unauthorized access and command execution. Organizations using this software should assess their security posture and apply recommended mitigations.

Affected Version(s)

Backup and Recovery 13.0.0

News Articles

favicon imageSecurity Affairs

Veeam resolves CVSS 9.0 RCE flaw and other security issues

Veeam patched a critical RCE flaw in Backup & Replication, CVE-2025-59470, rated CVSS 9.0, along with other vulnerabilities.

5 days ago

favicon imageThe Hacker News

Veeam Patches Critical RCE Vulnerability with CVSS 9.0 in Backup & Replication

Veeam patched four Backup & Replication flaws, including CVE-2025-59470 (CVSS 9.0) enabling RCE; update to version 13.0.1.1071.

5 days ago

References

https://www.veeam.com/kb4792

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by The Hacker News

  • Vulnerability Reserved

JSON
.
CVE-2025-59470 : Remote Code Execution in Veeam Backup & Replication by Backup Operators