Veeam’s Backup & Replication software is vulnerable to four different bugs that hackers can exploit to execute their own code. Updates are available.
Veeam has fixed four vulnerabilities in version 13.0.1.1071 of Backup & Replication. The security flaws enabled, among other things, remote code execution (RCE) and unauthorized file manipulation.
Only in version 13
The vulnerabilities exclusively affect version 13.0.1.180 and older builds of version 13 of Veeam Backup & Replication. Older software versions such as 12.x are not affected, according to Veeam.
The most serious vulnerability, CVE-2025-59470, received a CVSS score of 9.0 and allows Backup or Tape Operators to execute code as a postgres user. Veeam describes the severity as ‘high’ because these user roles are considered highly privileged.
A second serious vulnerability (CVE-2025-55125) gave the same user roles the ability to execute code as root via a malicious backup configuration file. CVE-2025-59469 also allowed files to be written as root. Both vulnerabilities received a CVSS score of 7.2.
The fourth security problem, CVE-2025-59468, concerned an error that allowed a Backup administrator to execute code as the postgres user via a manipulated password field. This vulnerability received a CVSS score of 6.7.
Patch available
All vulnerabilities were discovered during internal code audits and have been resolved in version 13.0.1.1071 of Veeam Backup & Replication. Veeam emphasizes the importance of timely updates, as malicious actors can analyze updates to exploit vulnerabilities in older, unpatched installations.
That is a real risk. The majority of successful cyber attacks are the result of security flaws that unnecessarily remained unpatched. Backups are also favorite targets of attackers. With access, they can steal all data in one fell swoop and destroy recovery options. The necessary updates are available via the official Veeam download page.