CVE-2025-59470

CRITICAL

Veeam Backup & Replication < 13.0.1.1071 - Command Injection

Title source: rule

Description

This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-59470

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by George0Papasotiriou · poc

https://github.com/George0Papasotiriou/CVE-2025-59470-PostgreSQL-Command-Injection

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.veeam.com/kb4792

Scores

CVSS v3 9.0

EPSS 0.0017

EPSS Percentile 37.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Details

CWE

CWE-77

Status published

Products (1)

veeam/veeam_backup_\&_replication 13.0.0.4967 - 13.0.1.1071

Published Jan 08, 2026

Tracked Since Feb 18, 2026