Veeam Backup & Replication contains a critical flaw allowing low-privileged Backup Viewers to execute arbitrary code as the postgres user, leading to database and system compromise.

This vulnerability allows an attacker with "Backup Viewer" privileges to achieve remote code execution (RCE). The exploit specifically targets the underlying database component, allowing code to run in the context of the postgres user.

By gaining RCE as the postgres user, an attacker can directly manipulate the backup database, extract sensitive configuration data, or escalate privileges to the full system level. The CVSS score of 9.9 reflects the high severity, as it allows a user with minimal read-only permissions to achieve high-impact execution.

Immediate Action: Update the affected Veeam components to the latest version to patch the privilege escalation and RCE path.

Proactive Monitoring: Review database logs for unexpected queries or shell commands executed by the postgres service account.

Compensating Controls: Enforce strict Role-Based Access Control (RBAC) and ensure the database service is running with the minimum necessary permissions on the host operating system.

Public Exploit Available: No

Immediate remediation is required to prevent low-privileged users from compromising the entire backup database. Apply the vendor's patch immediately and verify that the Backup Viewer role is only assigned to necessary personnel.