cbcvebase.
CVE-2025-59470
published 2026-01-08

CVE-2025-59470: This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

PriorityP261critical9CVSS 3.1
AVNACLPRHUINSCCHIHAL
EPSS
1.49%
70.8th percentile
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_recovery13.0.0 – 13.0.0
veeamveeam_backup_replication>= 13.0.0.4967 < 13.0.1.107113.0.1.1071

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit targets Veeam Backup & Replication version 13.0.1.180 and all earlier version 13 builds; presence of this version on a host indicates a vulnerable target
  • Exploitation requires the attacker to hold the Backup Operator or Tape Operator role; monitor for unexpected privilege assignments to these roles in Veeam
  • Successful exploitation results in code execution as the postgres OS/DB user; alert on unexpected processes or commands spawned by the postgres user on Veeam backup servers
  • Attack vector involves sending a malicious interval or order parameter to the Veeam service; inspect API/network traffic to Veeam for anomalous or unsanitized interval/order parameter values
  • ·Exploitability is limited to authenticated users holding the Backup or Tape Operator roles, which Veeam considers highly privileged; unauthenticated exploitation is not possible
  • ·Following Veeam's recommended Security Guidelines reduces exploitability; patched version 13.0.1.1071 (released January 6) fully remediates the vulnerability
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.