CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Veeam Patches Critical RCE Vulnerability in Backup & Replication

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Veeam has released security updates to address multiple vulnerabilities in its Backup & Replication software, including a critical remote code execution (RCE) flaw (CVE-2025-59470) with a CVSS score of 9.0. The flaw allows Backup or Tape Operators to execute code as the postgres user by sending malicious parameters. Three additional vulnerabilities with CVSS scores ranging from 6.7 to 7.2 were also patched. All vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and earlier versions, and have been addressed in version 13.0.1.1071. Veeam adjusted the severity rating of CVE-2025-59470 to high due to the required Backup or Tape Operator roles for exploitation. Ransomware gangs have targeted VBR servers to simplify data theft and block restoration efforts, with Cuba ransomware gang and FIN7 linked to such attacks.

Timeline

  1. 07.01.2026 15:06 1 articles · 23h ago

    Ransomware gangs target Veeam Backup & Replication servers

    Veeam Backup & Replication (VBR) is popular among mid-sized to large enterprises and managed service providers. Ransomware gangs target VBR servers to simplify data theft and block restoration efforts. Cuba ransomware gang and FIN7 have been linked to attacks targeting VBR vulnerabilities. Frag ransomware exploited CVE-2024-40711 in VBR, also used in Akira and Fog ransomware attacks.

    Show sources
    Open in new tab
  2. 07.01.2026 12:41 2 articles · 1d ago

    Veeam Patches Critical RCE Vulnerability in Backup & Replication

    Veeam has released security updates to address multiple vulnerabilities in its Backup & Replication software, including a critical RCE flaw (CVE-2025-59470) with a CVSS score of 9.0. The flaw allows Backup or Tape Operators to execute code as the postgres user. Three additional vulnerabilities with CVSS scores ranging from 6.7 to 7.2 were also patched. All vulnerabilities affect versions up to 13.0.1.180 and have been fixed in version 13.0.1.1071. Veeam adjusted the severity rating of CVE-2025-59470 to high due to the required Backup or Tape Operator roles for exploitation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Gogs Zero-Day Vulnerability

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is actively exploited, with a CVSS score of 9.0. The flaw affects versions from Release 2020 through Release 2025 and allows for remote code execution (RCE). In addition to CVE-2025-5086, two more vulnerabilities (CVE-2025-6205 and CVE-2025-6204) in DELMIA Apriso have been identified and are actively exploited. CVE-2025-6205 is a critical-severity missing authorization flaw, and CVE-2025-6204 is a high-severity code injection vulnerability. Both were patched by Dassault Systèmes in early August 2025. The vulnerabilities can be chained together to create accounts with elevated privileges and place executable files into a web-served directory. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning and a file upload API used by portal components but that is accessible only post-authentication. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by November 18, 2025, to secure their networks. Additionally, a new vulnerability (CVE-2025-24893) in XWiki has been identified and is actively exploited. This flaw allows for arbitrary remote code execution through a request to the /bin/get/Main/SolrSearch endpoint and is being exploited in a two-stage attack chain that delivers a cryptocurrency miner. The vulnerability was reported by John Kwak of Trend Micro in May 2024 and was addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. Technical details on the bug emerged roughly half a year later, and an NVD advisory was published in February 2025. Numerous proof-of-concept (PoC) exploits targeting the vulnerability have been available since early 2025. CrowdSec observed the vulnerability being abused for reconnaissance earlier this year but noted a decline in activity. VulnCheck identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner. The attacks proceed in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader, and the second pass executes it. The observed traffic originates from an IP address geolocated to Vietnam that has been associated with other malicious activity. The RondoDox botnet has been observed targeting unpatched XWiki instances to exploit CVE-2025-24893. VulnCheck observed a spike in exploitation attempts, with peaks on November 7 and November 11, 2025. RondoDox is adding new exploitation vectors to rope susceptible devices into a botnet for conducting DDoS attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025. Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, establish a reverse shell, and conduct general probing activity using a Nuclei template for CVE-2025-24893.

Open in new tab

Public exploit for chained SAP NetWeaver flaws enables remote code execution

A new exploit combining two critical vulnerabilities in SAP NetWeaver has been publicly released. The exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution. The flaws were patched in April and May 2025 but were exploited as zero-days since at least March. Multiple threat actors, including ransomware groups and espionage crews, have weaponized these vulnerabilities. The exploit allows unauthenticated attackers to execute arbitrary commands, upload files, and take over affected systems. The exploit was released on a Telegram channel representing Scattered Spider, ShinyHunters, and LAPSUS$. The vulnerabilities can also be reused in other contexts, potentially affecting additional SAP deserialization flaws patched in July 2025. The attack chain involves using CVE-2025-31324 to access critical functionality and then exploiting CVE-2025-42999 to deserialize the payload and execute code with SAP system privileges. Organizations should apply SAP Security Note 3594142 and Security Note 3604119 to protect against this exploit.

Open in new tab