Veeam has disclosed multiple security flaws in its Backup & Replication (VBR) software that expose backup infrastructure to remote code execution (RCE) attacks. The critical vulnerability CVE202559470 and two additional issues were patched on January 6, 2026. 

Vulnerabilities Identified: Veeam released patches for several security flaws in its Backup & Replication (VBR) software:  

  • CVE202559470: Critical RCE allowing Backup/Tape Operators to execute code as the postgres user via malicious parameters. 
  • CVE202555125 (High) and CVE202559468 (Medium): Permit remote code execution through a crafted backup configuration file or malicious password parameter. 

Severity Rating: 

  • CVE202559470: Initially rated critical, downgraded to “high” due to required privileged roles.  
  • CVE202555125 & CVE202559468: High and medium severities respectively. 

 image (1)

Affected Systems: 

  • Versions: All VBR 13.x builds up to and including 13.0.1.180.  
  • Patched Version: 13.0.1.1071 (released Jan 6, 2026) 

 

Attack Vector & Impact: 

  • Privileges and Access:  
  • Attackers must hold Backup or Tape Operator roles—highly privileged positions within Veeam environments. 
  • Exploitation allows RCE under the postgres database user context. 
     
  • Threat Landscape:  
  • VBR is a high-value target for ransomware and extortion groups (e.g., Cuba, FIN7, Akira, Fog, Frag), enabling backup deletion and lateral movement. 

 

Threat Actors: 

Ransomware gangs previously exploiting VBR vulnerabilities include:  

  • Cuba ransomware, FIN7 (linked to Conti, REvil, etc.); 
  • Akira, Fog, and Frag ransomware operations, with several instances reported between October–November 2024. 

Indicators of Compromise (IOCs): 

Look for the following within VBR logs and backup files:  

  • Malicious interval or order parameters in server requests. 
  • Unexpected old/unnormal backup configuration files. 
  • Malicious or anomalous password field submissions. 

 

Monitor for signs of lateral movement or backup deletion activity following these anomalies. 

 

Recommendations: 

Integrity360 recommends that organisations to immediately Patch all VBR servers on v13.x to 13.0.1.1071 or later. As well as, elevate monitoring for anomalies involving VBR. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

 

Contact Us