Critical Veeam Flaws Let Hackers Execute Code on Backup Servers
▼ Summary
– Veeam patched a critical remote code execution (RCE) flaw, CVE-2025-59470, in its Backup & Replication software, affecting version 13.0.1.180 and earlier.
– The vulnerability’s severity was adjusted to high because exploitation requires the attacker to already have privileged Backup or Tape Operator access.
– The update also fixed two other vulnerabilities that could allow malicious operators to achieve remote code execution through different methods.
– Veeam’s software is a frequent target for ransomware gangs, as compromising it can facilitate data theft and block recovery efforts.
– Multiple ransomware groups, including Cuba, FIN7, Frag, Akira, and Fog, have exploited Veeam vulnerabilities in past attacks.
Veeam has issued crucial security patches for its widely used Backup & Replication software, addressing a set of vulnerabilities that could allow attackers to execute malicious code on backup servers. The most serious issue, tracked as CVE-2025-59470, is a critical remote code execution flaw impacting Veeam Backup & Replication 13.0.1.180 and all earlier version 13 releases. According to the company’s advisory, this vulnerability enables a user with Backup or Tape Operator privileges to run arbitrary code remotely by sending a specially crafted interval or order parameter.
While the initial assessment was critical, Veeam later adjusted the severity rating to high. This adjustment reflects the requirement that an attacker must already possess the credentials for a highly privileged Backup or Tape Operator account. The company emphasized that these roles should be rigorously protected and that following its established security guidelines significantly lowers the risk of exploitation.
The update, version 13.0.1.1071 released on January 6, resolves CVE-2025-59470 alongside two other security weaknesses. These include a high-severity flaw, CVE-2025-55125, which could allow a malicious operator to achieve remote code execution by creating a tampered backup configuration file. The third patched issue, a medium-severity vulnerability tracked as CVE-2025-59468, involves sending a malicious password parameter to gain similar remote execution capabilities.
Veeam Backup & Replication is a cornerstone of enterprise data protection strategies, enabling organizations to create reliable copies of vital data and applications for rapid recovery after incidents like ransomware attacks or system failures. Its popularity, however, has made it a prime target for cybercriminals. Ransomware groups frequently seek out and compromise VBR servers because they provide a powerful foothold for moving laterally across a network. By gaining control of these servers, attackers can not only steal sensitive data but also deliberately delete backup files to cripple an organization’s ability to restore operations, thereby increasing the pressure to pay a ransom.
Historical evidence underscores this threat. Groups like the Cuba ransomware operation and the financially motivated FIN7 threat actor, known for alliances with various ransomware cartels, have previously exploited vulnerabilities in Veeam’s software. In a more recent campaign observed in late 2024, Sophos X-Ops reported that Frag ransomware actively weaponized another VBR remote code execution flaw, CVE-2024-40711. This same vulnerability was also leveraged in separate attacks by Akira and Fog ransomware gangs, targeting unpatched Veeam backup servers to devastating effect.
Given that Veeam’s products are deployed by more than 550,000 customers globally, including a substantial majority of the world’s largest corporations, these vulnerabilities present a significant risk landscape. System administrators are urged to apply the latest security patches immediately and to review access controls for all backup-related administrative accounts.
(Source: Bleeping Computer)
