{"id":15425,"date":"2026-01-08T02:03:17","date_gmt":"2026-01-08T02:03:17","guid":{"rendered":"https:\/\/newestek.com\/?p=15425"},"modified":"2026-01-08T02:03:17","modified_gmt":"2026-01-08T02:03:17","slug":"holes-in-veeam-backup-suite-allow-remote-code-execution-creation-of-malicious-backup-config-files","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15425","title":{"rendered":"Holes in Veeam Backup suite allow remote code execution, creation of malicious backup config files"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Veeam <a href=\"https:\/\/www.veeam.com\/kb4792\" target=\"_blank\" rel=\"noreferrer noopener\">says that four vulnerabilities<\/a> could allow a person with certain oversight roles for its flagship Backup &amp; Replication suite to do serious damage to \u2013 but not destroy \u2013\u00a0 a backup database.<\/p>\n<p>The company has already issued a patch for the bugs, which, it says, should be applied immediately.<\/p>\n<p>The worst of the vulnerabilities, CVE-2025-59470, carries a criticality score of 9 and would allow a threat actor \u201cto do something nefarious,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/rickvanover\/\" target=\"_blank\" rel=\"noreferrer noopener\">Rick Vanover<\/a>, Veeam\u2019s vice-president of product strategy.<\/p>\n<p>But he emphasized that, because of the immutable nature of the backup, data can\u2019t be destroyed.<\/p>\n<p>The issue: Veeam discovered that a person with the role of Backup Admin, Backup Operator, or Tape Operator status in unpatched version 13 of the suite (versions 13.0.1.180 and earlier) have more permissions than they should. The patch corrects that.<\/p>\n<p>Specifically, the flaws addressed are:<\/p>\n<ul class=\"wp-block-list\">\n<li>CVE-2025-59470 (with a CVSS score of 9) allows a Backup or Tape Operator to perform remote code execution (RCE) as the\u00a0Postgres\u00a0user by sending a malicious interval or order parameter;<\/li>\n<li>CVE-2025-59469 (with a severity score of 7.2) allows a Backup or Tape Operator to write files as root;<\/li>\n<li>CVE-2025-55125 (with a severity score of 7.2) allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file;<\/li>\n<li>CVE-2025-59468 (with a severity score of 6.7) allows a Backup Administrator to perform remote code execution (RCE) as the\u00a0Postgres\u00a0user by sending a malicious password parameter.<\/li>\n<\/ul>\n<p>The patch to version 13.0.1.1071 will be an \u201ceasy installation\u201d that won\u2019t be disruptive, Vanover said. As of Tuesday afternoon, Veeam hadn\u2019t received reports of exploitation, he added.<\/p>\n<p>\u201cThe good news is, if a Veeam server is broken, we can create a new server right away \u2013 presumably with this patch installed \u2013 import the backups and carry on. The core data is completely unimpacted by this,\u201d Vanover said. \u201cThe worst type of thing would be the [backup] environment isn\u2019t working right or the Postgres database is messed up on the Veeam server, so jobs might not behave in a way one might expect.\u201d<\/p>\n<p>In these cases, admins using the Veeam One monitoring management suite would get an alert if, for example, a job was unable to connect to the backup server or backup jobs were failing.<\/p>\n<p>The four vulnerabilities being patched are less severe than some because an attacker, internal or external, would need valid credentials for the three specific roles, noted <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noreferrer noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute.<\/p>\n<p>On the other hand, he added, backup systems like Veeam are targets for attackers, in particular those who inject ransomware, who often attempt to erase backups.<\/p>\n<p>\u201cBackup systems should be regularly audited to ensure that access rights, such as those mentioned in this vulnerability, are properly managed and only accessible to users who actually need them,\u201d he said. \u201cAuthentication credentials should be reviewed to ensure they comply with the respective standards.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/kellman\/?originalSubdomain=ca\" target=\"_blank\" rel=\"noreferrer noopener\">Kellman Meghu<\/a>, principal security architect at Canadian-based risk management firm DeepCove Cybersecurity, said the worry is how the vulnerabilities could be used by a threat actor to get root privileges to the backup, \u201cwhich is the worst it can get as far as compromise. From the sounds of the exploit, just being able to update a config file could be the avenue for executing malicious commands at the highest privileges.\u201d<\/p>\n<p>Admins who can\u2019t patch quickly, or who have been running unpatched versions for any length of time, should first audit all config files and operations to ensure there have been no changes to the config files or execution of additional unexpected actions. Alerts should be set for every backup process run, so it is closely monitored until the suite can be patched.<\/p>\n<p>\u201cKeep in mind,\u201d he added, \u201cif you do see unusual behavior, it is a sign that there is a malicious actor or inside threat operating, and you would need to take a holistic incident response.\u201d<\/p>\n<p><em>This article originally appeared on <a href=\"https:\/\/www.networkworld.com\/article\/4114036\/holes-in-veeam-backup-suite-allow-remote-code-execution-creation-of-malicious-backup-config-files.html\" target=\"_blank\">NetworkWorld<\/a>.<\/em><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Veeam says that four vulnerabilities could allow a person with certain oversight roles for its flagship Backup &amp; Replication suite to do serious damage to \u2013 but not destroy \u2013\u00a0 a backup database. The company has already issued a patch for the bugs, which, it says, should be applied immediately. The worst of the vulnerabilities, CVE-2025-59470, carries a criticality score of 9 and would allow&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15425\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15425","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15425"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15425\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}