CVE-2025-59470

Critical

Published: 08 January 2026

Published

08 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0017 37.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying Veeam patches from KB4792 directly remediates the command injection flaw enabling RCE via malicious interval or order parameters.

SI-10 Information Input Validation good match

prevent

Validating interval and order parameters against organization-defined rules prevents command injection payloads from executing arbitrary commands as the postgres user.

AC-6 Least Privilege partial match

prevent

Enforcing least privilege on Backup Operator accounts restricts access to vulnerable parameter inputs, limiting exploitation opportunities and RCE impact.

Security SummaryAI

CVE-2025-59470 is a command injection vulnerability (CWE-77) that allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. It affects Veeam software components involving postgres, with a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), highlighting its critical severity due to network-based exploitation, low complexity, required high privileges, no user interaction, scope change, high confidentiality and integrity impacts, and low availability impact. The vulnerability was published on 2026-01-08.

A Backup Operator, possessing high privileges (PR:H), can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no need for user interaction (UI:N). Successful exploitation enables remote code execution as the postgres user, granting the attacker the ability to execute arbitrary commands in that context, potentially compromising database integrity and confidentiality.

Veeam has published knowledge base article KB4792 at https://www.veeam.com/kb4792, which details mitigation strategies and available patches for addressing CVE-2025-59470.

Details

CWE(s): CWE-77

Affected Products

veeam

veeam backup \& replication

13.0.0.4967 — 13.0.1.1071

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Command injection vulnerability enables remote code execution on Veeam components involving PostgreSQL over the network by a high-privileged Backup Operator, directly facilitating Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.veeam.com/kb4792
Vendor Advisory · support@hackerone.com