CVE-2025-59470: Critical RCE in Veeam Backup & Replication Software

A significant security update from Veeam addressed multiple vulnerabilities in its Backup & Replication platform, including CVE-2025-59470, a remote code execution flaw with a CVSS score of 9.0. This vulnerability — along with several others resolved in the January patch release — affects version 13.0.1.180 and earlier builds of the software and underscores the importance of securing backup infrastructure against critical threats.

CVE-2025-59470 allows authenticated users in the Backup or Tape Operator roles to execute arbitrary code as the PostgreSQL database user by crafting malicious parameters sent over the network. While Veeam has internally downgraded the practical severity due to the prerequisite of privileged access, the risk remains high in compromised environments where such privileged roles may be misused or credentials exposed.

In addition to CVE-2025-59470, the security update fixes other serious issues like CVE-2025-55125 — which enables RCE as root via malicious backup configuration files — and vulnerabilities that permit arbitrary file writes or RCE through other mechanisms.

Because backup systems are central to business continuity and disaster recovery, securing them against even edge-case privilege misuse is essential. Organizations should apply the Veeam 13.0.1.1071 patch immediately, review operator access controls, and implement additional monitoring around backup operations to detect suspicious activities.