Article Details

New Veeam vulnerabilities expose backup servers to RCE attacks. Veeam released security updates to patch multiple security flaws in its Backup & Replication software, including a critical remote code execution (RCE) vulnerability. Tracked as CVE-2025-59470, this RCE security flaw affects Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter," Veeam explained in a Tuesday advisory. However, the information technology company adjusted its rating to high severity because it can only be exploited by attackers with the Backup or Tape Operator roles. "The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such. Following Veeam's recommended Security Guidelines further reduces the opportunity for exploitability," it added. Veeam released version 13.0.1.1071 on January 6 to patch CVE-2025-59470 and address two other high-severity (CVE-2025-55125) and medium-severity (CVE-2025-59468) vulnerabilities that enable malicious backup or tape operators to gain remote code execution by creating a malicious backup configuration file or sending a malicious password parameter, respectively. Veeam's Backup & Replication (VBR) enterprise data backup and recovery software helps create copies of critical data and applications that can be quickly restored following cyberattacks, hardware failures, or disasters. Veeam flaws targeted by ransomware gangs VBR is particularly popular among mid-sized to large enterprises and managed service providers, but it's also often targeted by ransomware gangs, since it can serve as a quick pivot point for lateral movement within victims' environments. Ransomware gangs have previously told BleepingComputer that they always target victims' VBR servers because it simplifies data theft and makes it easy to block restoration efforts by deleting backups before deploying ransomware payloads. The Cuba ransomware gang and the financially motivated FIN7 threat group (which had previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs) have also been linked to attacks targeting VBR vulnerabilities in the past. More recently, Sophos X-Ops incident responders revealed in November 2024 that Frag ransomware exploited another VBR RCE vulnerability (CVE-2024-40711) disclosed two months earlier. The same security flaw was also used in Akira and Fog ransomware attacks targeting vulnerable Veeam backup servers starting in October 2024. Veeam's products are used by over 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies. 7 Security Best Practices for MCP As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe. This free cheat sheet outlines 7 best practices you can start using today.