CVE-2025-59470
CVE-2025-59470
In short
A Backup Operator can run malicious code on the server as the postgres user by sending specially crafted interval or order parameters. This is critical because it gives an internal user the ability to take complete control of the database system.
Technical detail
CWE-77 (Improper Neutralization of Special Elements used in a Command) allows a Backup Operator to achieve RCE as the postgres user via malicious interval or order parameters. The attack requires valid Backup Operator credentials but results in full system compromise under the database process context.
Summary generated and translated by AI from the official description.
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Affected products
Veeam · Backup and Recoverypublic PoCs found — 1
githubgithub.com/George0Papasotiriou/CVE-2025-59470-PostgreSQL-Command-Injection★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.veeam.com/kb4792