Cyber Resilience

CVE-2025-59470

CriticalRCE

Published: 08 January 2026

Published
08 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0149 70.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-59470 is a critical-severity Command Injection (CWE-77) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59470 is a command injection vulnerability (CWE-77) that allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. It affects Veeam software components involving postgres, with a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), highlighting its critical severity due to network-based exploitation, low complexity, required high privileges, no user interaction, scope change, high confidentiality and integrity impacts, and low availability impact. The vulnerability was published on 2026-01-08.

A Backup Operator, possessing high privileges (PR:H), can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no need for user interaction (UI:N). Successful exploitation enables remote code execution as the postgres user, granting the attacker the ability to execute arbitrary commands in that context, potentially compromising database integrity and confidentiality.

Veeam has published knowledge base article KB4792 at https://www.veeam.com/kb4792, which details mitigation strategies and available patches for addressing CVE-2025-59470.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection vulnerability enables remote code execution on Veeam components involving PostgreSQL over the network by a high-privileged Backup Operator, directly facilitating Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59468Same product: Veeam Veeam Backup \& Replication
CVE-2025-55125Same product: Veeam Veeam Backup \& Replication
CVE-2026-21671Same product: Veeam Veeam Backup \& Replication
CVE-2026-21667Same product: Veeam Veeam Backup \& Replication
CVE-2025-23120Same product: Veeam Veeam Backup \& Replication
CVE-2025-48983Same product: Veeam Veeam Backup \& Replication
CVE-2026-21666Same product: Veeam Veeam Backup \& Replication
CVE-2026-21669Same product: Veeam Veeam Backup \& Replication
CVE-2025-48984Same product: Veeam Veeam Backup \& Replication
CVE-2026-21708Same product: Veeam Veeam Backup \& Replication

Affected Assets

veeam
veeam backup \& replication
13.0.0.4967 — 13.0.1.1071

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying Veeam patches from KB4792 directly remediates the command injection flaw enabling RCE via malicious interval or order parameters.

prevent

Validating interval and order parameters against organization-defined rules prevents command injection payloads from executing arbitrary commands as the postgres user.

prevent

Enforcing least privilege on Backup Operator accounts restricts access to vulnerable parameter inputs, limiting exploitation opportunities and RCE impact.

References