Veeam on Jan. 6 patched three flaws in its backup systems — one of them a critical bug — that can let backup and tape operators launch remote code execution (RCE).In its advisory, Veeam told security teams that the backup and tape operator roles are considered highly privileged and organizations should protect them as such.Veeam released version 13.0.1.1071 to patch CVE-2025-59470 (CVSS 9.0), and patched high-severity (CVE-2025-55125) and medium-severity (CVE-2025-59468) flaws that allowed for an RCE.“Backup systems are a consistent target for cybercriminals because they control recovery, data protection, and in many cases have broad access across infrastructure,” said Shane Barney, chief information security officer at Keeper Security. “If an attacker gains control of one of these privileged roles — whether through credential theft, misconfiguration, or insider misuse — vulnerabilities like this can be used to execute code and weaken an organization’s ability to recover from an attack.”Barney said Veeam acted appropriately by disclosing and patching the issue. However, organizations must understand that patching alone isn’t enough. Teams need to treat backup operator accounts as the most sensitive class of privileged access, explained Barney, with strict access controls, continuous monitoring and minimal standing permissions.“When privileged access gets tightly governed, the real-world impact of vulnerabilities like this is significantly reduced,” said Barney.Jacob Warner, director of IT at Xcape Inc., said an attacker who has already compromised a lower-level backup or tape operator account can gain complete control of the backup server by exploiting malicious parameters, effectively seizing control of the organization's recovery process.“Veeam's consistent presence in breach reports isn't coincidental,” said Warner. “In 2026, backup servers have become key reconnaissance targets for ransomware groups like Akira and Fog. Veeam and numerous other products provide a centralized, often unencrypted ‘gold copy’ of an enterprise's sensitive data that enables attackers to exfiltrate massive datasets and disable recovery from a single point.”Uri Aronovici, co-founder and CTO of Zest Security, added that the critical Veeam flaw is especially concerning because backup systems are a high-value target once attackers gain privileged access.“Backup and operator roles are broader than organizations realize,” said Aronovici. “If and when identities are abused, an attacker gains access to backups and can delete, encrypt, or tamper with recovery data. That turns a ransomware incident into a full operational shutdown.”
Ransomware, Vulnerability Management, Patch/Configuration Management, Identity
Veeam patches three RCE flaws in backup systems, one critical
POZNAN, POL – FEB 6, 2021: Laptop computer displaying logo of Veeam Software, an IT company that develops backup, disaster recovery and intelligent data management software
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds