New Veeam Vulnerabilities Expose Backup Servers to RCE Attacks

Veeam has released security patches addressing four vulnerabilities in its Backup & Replication software, including a critical remote code execution flaw that could allow attackers to take complete control of backup infrastructure. The timing could not be more urgent - backup servers have become the primary target for ransomware operators who understand that destroying recovery capabilities forces victims to pay.

The vulnerabilities affect all version 13 builds up to 13.0.1.180 and have been addressed in version 13.0.1.1071, released January 6, 2026. Given that more than 20% of Rapid7 incident response cases in 2024 involved Veeam being accessed or exploited, organizations should treat this patch as an emergency deployment.

The Critical Vulnerability

CVE-2025-59470 carries a CVSS score of 9.0 and allows a Backup or Tape Operator to perform remote code execution as the postgres user by sending a malicious interval or order parameter. Veeam adjusted its internal severity rating to High because exploitation requires the attacker to already possess Backup or Tape Operator privileges.

This mitigation factor should not provide false comfort. Previous ransomware campaigns have routinely leveraged compromised credentials to gain the exact privilege level required for exploitation. Once inside a network, attackers actively seek out backup infrastructure and the credentials to access it.

The remaining three vulnerabilities compound the risk. CVE-2025-55125 enables remote code execution as root through malicious backup configuration files - arguably the most dangerous flaw as it provides complete system control. CVE-2025-59469 allows arbitrary file writes as root, creating pathways for privilege escalation. CVE-2025-59468 permits RCE as the postgres user through malicious password parameters.

Why Backup Servers Are Primary Targets

Backup infrastructure represents the last line of defense against ransomware. Attackers who can compromise or destroy backups before deploying ransomware eliminate their victims' recovery options, dramatically increasing the likelihood of ransom payment. This economic reality has made Veeam - with its 550,000 customers including 82% of Fortune 500 companies - an extremely high-value target.

The pattern is well documented. Sophos X-Ops tracks a threat activity cluster dubbed STAC 5881 that specifically targets Veeam infrastructure. The attack chain begins with compromised VPN credentials, often obtained through MFA-less gateways. Attackers then exploit Veeam vulnerabilities to create local administrator accounts, typically named "point," and add them to Administrators and Remote Desktop Users groups. Once persistence is established, they deploy Akira, Fog, or Frag ransomware.

Historical Context: A Pattern of Critical Flaws

The January 2026 vulnerabilities continue a concerning trend. In October 2025, CVE-2025-48983 and CVE-2025-48984 enabled remote code execution on domain-joined Veeam installations with CVSS scores of 9.9. In March 2025, CVE-2025-23120 allowed authenticated domain users to achieve RCE on the Backup Server with identical severity ratings.

The September 2024 vulnerability CVE-2024-40711 proved particularly damaging. Carrying a CVSS score of 9.8 and requiring no authentication, it was rapidly weaponized by Akira, Fog, and later Frag ransomware operations. Earlier still, CVE-2023-27532 in March 2023 was exploited by FIN7 threat actors in collaboration with the Cuba ransomware group.

Each vulnerability disclosure has been followed by active exploitation, often within days. The window between patch release and weaponization continues to shrink as threat actors monitor security advisories and rapidly develop exploits.

Ransomware Groups Actively Exploiting Veeam

The threat actor ecosystem targeting Veeam infrastructure is well established. Akira ransomware has demonstrated consistent focus on backup systems, exploiting CVE-2024-40711 through compromised VPN credentials to establish persistence before deployment. Fog ransomware employs identical tactics, suggesting either shared tooling or operational knowledge transfer between groups.

Frag ransomware emerged in November 2024 specifically weaponizing the same Veeam exploitation techniques. The Cuba ransomware operation, linked to the FIN7 threat group, has previously collaborated with Conti, REvil, Maze, Egregor, and BlackBasta on attacks leveraging Veeam vulnerabilities.

Immediate Remediation Steps

Organizations running Veeam Backup & Replication version 13.0.1.180 or earlier must upgrade to version 13.0.1.1071 immediately. The patch is available through the Veeam download portal as of January 6, 2026. Version 12.x users are not affected by these specific vulnerabilities but should verify they applied October 2025 patches for CVE-2025-48983 and CVE-2025-48984.

Beyond patching, organizations should audit all users with Backup Operator and Tape Operator roles to ensure only trusted personnel possess these privileges. Review VPN and remote access security, particularly ensuring MFA enforcement on all gateways. Given the documented attack pattern involving compromised VPN credentials, this represents a critical exposure point.

Network isolation for backup infrastructure significantly reduces attack surface. Veeam security guidelines recommend considering whether backup servers need domain membership at all - previous vulnerabilities specifically affected domain-joined installations. Implementing immutable backups through air-gapped storage or object lock capabilities provides defense in depth against attackers who achieve infrastructure access.

Enterprise Risk Assessment

The scale of potential impact is substantial. Veeam protects over 550,000 customers globally, including 74% of Global 2000 firms and 82% of Fortune 500 companies. Organizations relying on Veeam for business continuity face direct risk from these vulnerabilities - a successful attack could simultaneously compromise production systems and eliminate recovery capabilities.

For managed service providers overseeing multiple Veeam installations, the urgency multiplies. Each unpatched client environment represents both a direct risk and potential pivot point for broader attacks. MSPs should inventory all Veeam installations immediately, prioritize patching based on exposure characteristics, and communicate risk clearly to clients who delay remediation.

The consistent pattern of critical Veeam vulnerabilities - four CVSS 9.0+ flaws in the past twelve months alone - suggests organizations should treat backup infrastructure as a primary security boundary rather than an afterthought. Regular security assessments, aggressive patching timelines, and defense-in-depth architectures are no longer optional for backup systems.