Veeam says that four vulnerabilities could allow a person with certain oversight roles for its flagship Backup & Replication suite to do serious damage to – but not destroy – a backup database.
The company has already issued a patch for the bugs, which, it says, should be applied immediately.
The worst of the vulnerabilities, CVE-2025-59470, carries a criticality score of 9 and would allow a threat actor “to do something nefarious,” said Rick Vanover, Veeam’s vice-president of product strategy.
But he emphasized that, because of the immutable nature of the backup, data can’t be destroyed.
The issue: Veeam discovered that a person with the role of Backup Admin, Backup Operator, or Tape Operator status in unpatched version 13 of the suite (versions 13.0.1.180 and earlier) have more permissions than they should. The patch corrects that.
Specifically, the flaws addressed are:
CVE-2025-59470 (with a CVSS score of 9) allows a Backup or Tape Operator to perform remote code execution (RCE) as the Postgres user by sending a malicious interval or order parameter;
CVE-2025-59469 (with a severity score of 7.2) allows a Backup or Tape Operator to write files as root;
CVE-2025-55125 (with a severity score of 7.2) allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file;
CVE-2025-59468 (with a severity score of 6.7) allows a Backup Administrator to perform remote code execution (RCE) as the Postgres user by sending a malicious password parameter.
The patch to version 13.0.1.1071 will be an “easy installation” that won’t be disruptive, Vanover said. As of Tuesday afternoon, Veeam hadn’t received reports of exploitation, he added.
“The good news is, if a Veeam server is broken, we can create a new server right away – presumably with this patch installed – import the backups and carry on. The core data is completely unimpacted by this,” Vanover said. “The worst type of thing would be the [backup] environment isn’t working right or the Postgres database is messed up on the Veeam server, so jobs might not behave in a way one might expect.”
In these cases, admins using the Veeam One monitoring management suite would get an alert if, for example, a job was unable to connect to the backup server or backup jobs were failing.
The four vulnerabilities being patched are less severe than some because an attacker, internal or external, would need valid credentials for the three specific roles, noted Johannes Ullrich, dean of research at the SANS Institute.
On the other hand, he added, backup systems like Veeam are targets for attackers, in particular those who inject ransomware, who often attempt to erase backups.
“Backup systems should be regularly audited to ensure that access rights, such as those mentioned in this vulnerability, are properly managed and only accessible to users who actually need them,” he said. “Authentication credentials should be reviewed to ensure they comply with the respective standards.”
Kellman Meghu, principal security architect at Canadian-based risk management firm DeepCove Cybersecurity, said the worry is how the vulnerabilities could be used by a threat actor to get root privileges to the backup, “which is the worst it can get as far as compromise. From the sounds of the exploit, just being able to update a config file could be the avenue for executing malicious commands at the highest privileges.”
Admins who can’t patch quickly, or who have been running unpatched versions for any length of time, should first audit all config files and operations to ensure there have been no changes to the config files or execution of additional unexpected actions. Alerts should be set for every backup process run, so it is closely monitored until the suite can be patched.
“Keep in mind,” he added, “if you do see unusual behavior, it is a sign that there is a malicious actor or inside threat operating, and you would need to take a holistic incident response.”
This article originally appeared on NetworkWorld.
No Responses