Table of Contents
- What vulnerabilities did Veeam fix in the January 2026 patch for Windows?
- Critical Vulnerability Breakdown
- CVE-2025-59470 (Original Score: 9.0; Adjusted to High)
- CVE-2025-55125 (Score: 7.2; High)
- CVE-2025-59469 (Score: 7.2; High)
- CVE-2025-59468 (Score: 6.7; Medium)
- Understanding the Severity Adjustment
- Action Plan
What vulnerabilities did Veeam fix in the January 2026 patch for Windows?
You must prioritize updating your infrastructure to Veeam Backup & Replication version 13.0.1.1071 immediately. Released on January 6, 2026, this patch addresses severe security flaws found within the V13.x development branch. If you operate on version 13.0.1.180 or any earlier build of version 13, your system remains exposed.
Those currently running Veeam Backup & Replication 12.x or older versions are not affected by this specific advisory. However, for V13 users, this update is mandatory to maintain a secure environment.
Critical Vulnerability Breakdown
The latest patch resolves four specific Common Vulnerabilities and Exposures (CVEs). These flaws primarily involve Remote Code Execution (RCE) and improper privilege management. This means an attacker with specific access could run malicious commands or gain unauthorized control over your backup server.
The vulnerabilities addressed are:
CVE-2025-59470 (Original Score: 9.0; Adjusted to High)
This critical flaw permits a “Backup or Tape Operator” to execute code remotely as a Postgres user. The exploit involves sending a manipulated interval or job parameter.
CVE-2025-55125 (Score: 7.2; High)
This allows a “Backup or Tape Operator” to execute code remotely with “root” (super-user) privileges. They achieve this by creating a compromised backup configuration file.
CVE-2025-59469 (Score: 7.2; High)
Similar to the above, this flaw enables a “Backup or Tape Operator” to write files directly to the system as root, bypassing standard permission checks.
CVE-2025-59468 (Score: 6.7; Medium)
This vulnerability targets the “Backup Administrator” role. It allows the execution of code as a Postgres user through a malicious password parameter.
Understanding the Severity Adjustment
You may notice CVE-2025-59470 carries a “Critical” technical score (9.0) but a “High” severity rating from Veeam. This distinction exists because the exploit requires the attacker to already possess the “Backup and Tape Operator” role.
Since this role is already a high-privilege position, the environmental likelihood of an external, unauthenticated attack is lower. However, internal threats or compromised operator credentials remain significant risks. Veeam advises that strict adherence to security guidelines regarding role assignment further mitigates this risk.
Action Plan
- Verify Version: Check your current build number. If it is 13.0.1.180 or lower, you are vulnerable.
- Apply Patch: Download and install version 13.0.1.1071 immediately.
- Audit Roles: Review which users hold “Backup and Tape Operator” privileges. restrict this access to essential personnel only.