Veeam Patches Critical RCE Vulnerabilities in Backup & Replication Software
Take action: If you are using Veeam Software, make sure it's isolated both from the internet and from your main domain so a single stolen password doesn't lead to total data loss. Then plan a quick patch cycle, since any isolation will be breached given enough time.
Learn More
Veeam Software released critical security updates for its Backup & Replication (VBR) platform to fix multiple vulnerabilities, including four critical remote code execution (RCE) flaws.
Vulnerabilities summary:
- CVE-2026-21666 (CVSS score 9.9) - A remote code execution vulnerability that allows an authenticated domain user to run arbitrary code on the Backup Server. The flaw exists in the way the server processes authenticated requests, allowing an attacker with valid domain credentials to send specially crafted packets that trigger command execution. This bypasses standard role-based access controls, giving the attacker full control over the backup infrastructure.
- CVE-2026-21667 (CVSS score 9.9) - A critical remote code execution vulnerability that enables authenticated domain users to compromise the Backup Server through low-complexity attacks. The technical mechanism involves a failure in the server's internal communication logic, where user-supplied input is not properly sanitized before being used in system calls. An attacker can exploit this to run malicious scripts with the privileges of the Veeam service, leading to a complete system takeover.
- CVE-2026-21708 (CVSS score 9.9) - A remote code execution vulnerability that allows a user with Backup Viewer permissions to execute code as the postgres user. This privilege escalation occurs because the application does not properly isolate database queries from the user interface, allowing a low-privileged user to inject commands into the database backend. Once code execution is achieved as the database user, the attacker can manipulate backup metadata or attempt to escape to the host operating system.
- CVE-2026-21668 (CVSS score 8.8) - A high-severity restriction bypass that allows authenticated domain users to manipulate arbitrary files on a Backup Repository. The vulnerability stems from a logic error in the file handling module that fails to enforce path restrictions for authenticated users. Attackers can use this to delete or overwrite backup files, effectively neutralizing the organization's ability to recover from a ransomware attack.
- CVE-2026-21672 (CVSS score 8.8) - A local privilege escalation vulnerability affecting Windows-based Veeam Backup & Replication servers. This flaw allows an attacker who already has local access to the server to exploit insecure file permissions to gain administrative rights. This escalation is critical because it allows an attacker to disable security software and gain full control over the backup host.
By gaining access to the backup server, attackers can move through the network, steal data, and delete all recovery points. Recent incidents involving the Akira and Fog ransomware groups show that compromising backup infrastructure is a standard step in modern extortion attacks.
The vulnerabilities affect Veeam Backup & Replication version 12.3.2.4165 and all earlier version 12 builds.
Veeam warned that hackers often reverse-engineer patches to find out how to exploit systems that have not been updated yet. This makes it vital for administrators to apply the fixes before exploit code becomes widely available.
Administrators should update to Veeam Backup & Replication version 12.3.2.4465 or version 13.0.1.2067 ASAP. Administrators should also confirm that their backup servers are not directly exposed to the internet and are isolated from the main corporate domain.
