"Veeam has released security updates to address multiple flaws in its Backup & Replication software, including a "critical" issue that could result in remote code execution (RCE). The vulnerability, tracked as CVE-2025-59470, carries a CVSS score of 9.0. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," it said in a Tuesday bulletin."
"According to Veeam's documentation, a user with a Backup Operator role can start and stop existing jobs; export backups; copy backups; and create VeeamZip backups. A Tape Operator user, on the other hand, can run tape backup jobs or tape catalog jobs; eject tapes; import and export tapes; move tapes to a media pool; copy or erase tapes; and set a tape password."
Veeam released security updates for Backup & Replication 13.0.1.180 and earlier 13 builds that address four vulnerabilities, including a critical remote code execution flaw. CVE-2025-59470 carries a CVSS score of 9.0 and allows a Backup or Tape Operator to execute code as the postgres user by sending a malicious interval or order parameter. CVE-2025-55125 allows a Backup or Tape Operator to achieve RCE as root via a malicious backup configuration file. CVE-2025-59468 enables a Backup Administrator to perform RCE as postgres using a malicious password parameter. CVE-2025-59469 permits Backup or Tape Operators to write files as root. All flaws are fixed in version 13.0.1.1071. Veeam notes reduced exploitation opportunities when recommended security guidelines are followed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]