EUVD-2025-18670CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code.
Analysis
Privilege escalation vulnerability in backup management systems that permits authenticated users with the Backup Operator role to modify backup job configurations and execute arbitrary code with system privileges. The vulnerability affects backup software implementations that fail to properly validate backup job modifications; attackers must possess valid Backup Operator credentials but face no additional complexity once authenticated. This vulnerability is not currently listed in CISA's KEV catalog, but the high CVSS score of 7.2 and code execution capability indicate significant risk to organizations managing sensitive backup infrastructure.
Technical Context
This vulnerability stems from CWE-269 (Improper Access Control / Privilege Management), indicating insufficient authorization checks when modifying backup job parameters. Backup systems typically allow operators to define job configurations including scripts, command execution paths, and scheduling parameters. The vulnerability exists in the authorization layer where the system fails to validate that backup job modifications are restricted to appropriate administrative roles or that parameter inputs are properly sanitized. The affected technology involves backup orchestration engines (likely Windows Server Backup, Veeam, Commvault, or similar enterprise backup solutions) where the Backup Operator role—intended for operational job execution—is incorrectly granted modification privileges on job definitions. The root cause is likely insufficient role-based access control (RBAC) implementation or parameter validation in backup job serialization/deserialization routines, allowing modification of execution contexts or command injection through backup job metadata.
Affected Products
The CVE lacks explicit CPE designation in the provided data, but the description suggests Windows Server backup components or third-party enterprise backup solutions. Likely affected products include: (1) Microsoft Windows Server Backup (versions supporting Backup Operator RBAC delegation); (2) Veeam Backup & Replication (Backup Operator equivalent roles); (3) Commvault Complete Backup & Recovery (Backup Operator/operator roles); (4) Arcserve UDP (backup job modification functionality). Without vendor-specific advisories in the references, affected versions cannot be pinpointed. Organizations should consult vendor security bulletins using keywords: 'backup job modification', 'Backup Operator privilege escalation', 'backup job arbitrary execution'.
Remediation
Immediate mitigations: (1) Restrict assignment of Backup Operator role to minimal required personnel; audit existing assignments for unnecessary accounts; (2) Implement backup system authentication strengthening (MFA for backup system access); (3) Enable audit logging on backup job modifications and review for unauthorized changes; (4) If vendor patches are available, apply immediately—reference vendor security advisories for specific version/build numbers. Specific patch availability unknown; recommend contacting backup solution vendor (Microsoft, Veeam, Commvault, etc.) using CVE-2025-24286 to obtain fixed versions. Workarounds pending patch: (a) segregate backup system access to restricted network segments; (b) implement application-level job modification approval workflows; (c) run backup services under least-privilege accounts to limit post-exploitation impact.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today