Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code.
AnalysisAI
Privilege escalation vulnerability in backup management systems that permits authenticated users with the Backup Operator role to modify backup job configurations and execute arbitrary code with system privileges. The vulnerability affects backup software implementations that fail to properly validate backup job modifications; attackers must possess valid Backup Operator credentials but face no additional complexity once authenticated. This vulnerability is not currently listed in CISA's KEV catalog, but the high CVSS score of 7.2 and code execution capability indicate significant risk to organizations managing sensitive backup infrastructure.
Technical ContextAI
This vulnerability stems from CWE-269 (Improper Access Control / Privilege Management), indicating insufficient authorization checks when modifying backup job parameters. Backup systems typically allow operators to define job configurations including scripts, command execution paths, and scheduling parameters. The vulnerability exists in the authorization layer where the system fails to validate that backup job modifications are restricted to appropriate administrative roles or that parameter inputs are properly sanitized. The affected technology involves backup orchestration engines (likely Windows Server Backup, Veeam, Commvault, or similar enterprise backup solutions) where the Backup Operator role—intended for operational job execution—is incorrectly granted modification privileges on job definitions. The root cause is likely insufficient role-based access control (RBAC) implementation or parameter validation in backup job serialization/deserialization routines, allowing modification of execution contexts or command injection through backup job metadata.
RemediationAI
Immediate mitigations: (1) Restrict assignment of Backup Operator role to minimal required personnel; audit existing assignments for unnecessary accounts; (2) Implement backup system authentication strengthening (MFA for backup system access); (3) Enable audit logging on backup job modifications and review for unauthorized changes; (4) If vendor patches are available, apply immediately—reference vendor security advisories for specific version/build numbers. Specific patch availability unknown; recommend contacting backup solution vendor (Microsoft, Veeam, Commvault, etc.) using CVE-2025-24286 to obtain fixed versions. Workarounds pending patch: (a) segregate backup system access to restricted network segments; (b) implement application-level job modification approval workflows; (c) run backup services under least-privilege accounts to limit post-exploitation impact.
Same weakness CWE-269 – Improper Privilege Management
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18670