Back to threat alerts

Veeam RCE Vulnerabilities in Backup & Replication Product

Veeam Software disclosed a suite of critical vulnerabilities impacting its flagship Backup & Replication (VBR) platform. These flaws, most notably CVE-2025-59470 and CVE-2025-55125, facilitate Remote Code Execution (RCE), allowing attackers to compromise the backup infrastructure. A successful exploit provides a centralised hub for data exfiltration and enables attackers to irreversibly encrypt or delete recovery points, effectively neutralising an organisation's ransomware recovery capabilities.

Threat alert
January 8, 2026
The Kill Chain of the Exploit:

Exploit Delivery:

  • Network Log: HTTP/API request to the Veeam server on port 9392 containing an unusually long or malformed interval or order parameter.
  • Veeam Logs: Review Svc.VeeamBackup.log for database query exceptions or timeouts immediately preceding suspicious system activity.

Execution (Postgres Context):

  • Process Execution: The parent process postgres.exe (on Windows) or the postgres daemon (on Linux) will spawn a child process that is not a database worker.
  • Detection Rule: Alert if postgres.exe spawns cmd.exe, powershell.exe, whoami, net user, or /bin/sh. This is a high-fidelity indicator of RCE.5

Persistence:

  • File System: Look for the creation of files in the Veeam "Mount" directories or the "Backup" directories that are executable scripts
  • User Accounts: Check for the creation of local users point, point2, VeeamBkp, or backdoor.

CVE-2025-59470: The PostgreSQL Command Injection
  • Component: Database Interaction Layer
  • Requirement: Authenticated (Backup Operator / Tape Operator)
  • Description: A flaw in how the Veeam Backup Service constructs queries allows an authenticated user to perform command injection via the interval or order parameters in API requests. This leads to code execution within the context of the underlying PostgreSQL database.

CVE-2025-55125: Root RCE via Malicious Configuration
  • Component: Configuration Import Service
  • Requirement: Authenticated (Backup Operator / Tape Operator)
  • Description: This vulnerability leverages a deserialisation weakness. By submitting a specially crafted backup configuration file, an attacker can trigger RCE with root/SYSTEM privileges during the object validation process.

Impact of Root access

               Wipe Storage: Execute “rm -rf /” or “dd if=/dev/zero of=/dev/sdX” to securely erase backup repositories

               Persistence: Install kernel-level rootkits or modify system binaries to ensure access remains even after the vulnerability is patched

               Bypass Immutability: Root users can potentially modify system clocks to expire retention locks or unload kernel-level security modules.

Vulnerable Versions
Veeam Version Affected Builds Fixed Build (Patch) CVEs addressed
VBR v13 13.0.1.180 & earlier 13.0.1.1071 CVE-2025-59470, CVE-2025-55125, CVE-2025-59469, CVE-2025-59468
VBR v12 12.3.2.3617 & earlier 12.3.2.4165 CVE-2025-48983, CVE-2025-48984 (Mount Service RCE)
VBR v12 12.3.1.1139 & earlier 12.3.2.3617 CVE-2025-23121, CVE-2025-24286
Recommendations
  • Immediate Patching: Verify build versions across the entire backup estate and prioritise upgrading to the fixed builds listed above.
  • Role Audit: Conduct a "Least Privilege" audit of the Backup Operator and Tape Operator roles. Remove any accounts that do not have a strict operational requirement for these permissions.
  • Network Segmentation:
    • Isolate the Backup Server from the internet to prevent Command & Control (C2) beaconing.
    • Restrict inbound traffic on ports 9392 and 6180 to authorised management subnets only.
  • Enable Multi-Factor Authentication (MFA) for the Veeam Console.
  • Utilise Linux Hardened Repositories (LHR) with immutability flags enabled to protect against root-level deletion attempts.