Overview

  • CVE: CVE-2025-59468, CVE-2025-59469, CVE-2025-59470
  • Severity: Critical
  • Date: 9 Jan 2026

Summary

Veeam has released security updates for Backup and Recovery addressing three critical vulnerabilities (CVSS 9.0). These flaws enable authenticated users to execute remote code as the postgres user or write files as root, compromising the integrity of backup systems.

 

Affected Versions

See vendor advisory for affected versions.

Vulnerability Breakdown

CVE-2025-59468 – Remote Code Execution (RCE)

  • Severity: Critical
  • CVSS: 9.0
  • Description: Allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.
  • Impact: Full system compromise or unauthorised access to backup data.
  • Conditions: Requires Backup Administrator privileges.

 

CVE-2025-59469 – Arbitrary File Write

  • Severity: Critical
  • CVSS: 9.0
  • Description: Allows a Backup or Tape Operator to write files as root.
  • Impact: Privilege escalation to root, leading to full system control.
  • Conditions: Requires Backup or Tape Operator privileges.

 

CVE-2025-59470 – Remote Code Execution (RCE)

  • Severity: Critical
  • CVSS: 9.0
  • Description: Allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
  • Impact: Unauthorised code execution and potential lateral movement.
  • Conditions: Requires Backup Operator privileges.

Mitigation

Apply the latest patches provided by Veeam immediately. Ensure all Veeam backup components are updated to the latest secure version.

Summary for IT Teams

  • Products: Veeam Backup and Recovery
  • Threat Level: Critical, CVSS 9.0
  • Action Required:
    • Patch all affected Veeam Backup and Recovery installations immediately.
    • Audit Backup and Tape Operator privileges to ensure only trusted users have access.

Reference

Need Help?

If your organisation requires assistance identifying affected systems, enforcing browser updates or reviewing browser security policies, please contact our SOC team via soc@secure-iss.com.