Below is a breakdown of four newly disclosed Veeam vulnerabilities discovered during internal testing.
CVE-2025-55125
A flaw that allows a Backup or Tape Operator to achieve remote code execution (RCE) as root by crafting a malicious backup configuration file.
- Severity: High
- CVSS v3.1: 7.2
- Source: Discovered during internal testing
CVE-2025-59468
A vulnerability enabling a Backup Administrator to execute remote code as the postgres user by supplying a malicious password parameter.
- Severity: Medium
- CVSS v3.1: 6.7
- Source: Discovered during internal testing
CVE-2025-59469
A security issue that allows a Backup or Tape Operator to write arbitrary files with root privileges.
- Severity: High
- CVSS v3.1: 7.2
- Source: Discovered during internal testing
CVE-2025-59470
A vulnerability that allows a Backup or Tape Operator to gain remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
- CVSS Severity: Critical
- CVSS v3.1: 9.0
- Source: Discovered during internal testing
🔗 Veeam Security Advisory
Veeam KB4738: https://www.veeam.com/kb4738
