Advertisement
Subscribe to our daily newsletter.
Subscribe

Veeam issues patch to close critical remote code execution flaw

The vulnerability could let operator-level users run commands as database administrator.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Photo Illustration by Thomas Fuller/SOPA Images/LightRocket via Getty Images)

Veeam has released an update to fix a security flaw in its Backup & Replication software that could let certain users run code on affected systems.

The main issue, tracked as CVE-2025-59470, affects all Veeam Backup & Replication version 13 builds, according to a security advisory released Tuesday. Veeam said older product lines, including 12.x and earlier, are not affected by the vulnerabilities listed.

Veeam said the flaw could allow someone with the “Backup Operator” or “Tape Operator” role to carry out remote code execution by sending a malicious “interval” or “order” setting. The company said that would let the attacker run commands as the “postgres” user, the account used by the product’s database.

The vulnerability has a CVSS score of 9.0, which is typically labeled “critical.” Veeam, however, said it is treating the flaw as high severity because it can only be used by someone who already has one of those operator roles.

Advertisement

“The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such,” Veeam said in the advisory. The company added that following its security guidelines can reduce the chance of the issue being exploited.

Veeam’s documentation describes the permissions tied to those roles. A Backup Operator can start and stop existing backup jobs and export or copy backups, including creating VeeamZip backups. A Tape Operator can run tape backup and tape catalog jobs, eject tapes, import and export tapes, move tapes between media pools, copy or erase tapes and set a tape password.

Veeam said the flaw was found during internal testing. The advisory does not say if the company has seen it being used in attacks.

Veeam said the update also patches other vulnerabilities, but CVE-2025-59470 is the only one with a “critical” score.

Veeam Backup & Replication is used by organizations to make copies of important data and applications so they can be restored after cyberattacks, hardware failures or other disruptions.

Advertisement

The full advisory can be found on Veeam’s website

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

What happens if CISA 2015 lapses?

The Access‑Trust Gap: Why security can’t see what work depends on

How AI has complicated enterprise mobile security

Breaking down the latest era of Chinese cyberespionage with Booz Allen’s Nate Beach-Westmoreland

Government

Technology

Threats

Policy