Veeam Patches Five Critical RCE Flaws in Backup & Replication

Veeam Software released emergency security updates today addressing five critical and high-severity vulnerabilities in its Backup & Replication product. The most severe flaws carry near-maximum CVSS scores of 9.9 and allow authenticated domain users to execute arbitrary code on backup servers with minimal effort.

The timing couldn't be worse for organizations running unpatched Veeam infrastructure. Ransomware groups have increasingly targeted backup systems throughout 2025 and 2026, recognizing that disabling an organization's recovery capabilities dramatically increases the pressure to pay extortion demands.

TL;DR

• What happened: Veeam patched five vulnerabilities, including three critical RCE flaws
• Who's affected: All Veeam Backup & Replication 12.x and 13.x builds before today's patches
• Severity: Critical - CVSS 9.9 for multiple flaws
• Action required: Update to version 12.3.2.4465 or 13.0.1.2067 immediately

The Vulnerabilities

Three of the five patched vulnerabilities received critical severity ratings with CVSS 3.1 scores of 9.9, indicating trivial exploitation requirements and catastrophic impact.

CVE-2026-21666 and CVE-2026-21667 (CVSS 9.9)

Both vulnerabilities allow any authenticated domain user to achieve remote code execution on the Backup Server itself. The attack vector requires network access, low privileges, and no user interaction. The scope is changed, meaning compromise of the backup server can extend to other systems.

CVE-2026-21666 was reported through HackerOne, while CVE-2026-21667 was discovered during Veeam's internal security testing. The CWE classification identifies improper access control as the root cause.

CVE-2026-21708 (CVSS 9.9)

This flaw permits users with only Backup Viewer permissions to execute remote code as the postgres database user. Given that Backup Viewer is typically the lowest privilege role in Veeam environments, this represents a significant escalation path.

CVE-2026-21672 (CVSS 8.8)

A local privilege escalation vulnerability affecting Windows-based Veeam servers. Attackers with local access can elevate privileges, making this valuable as a second-stage exploit after initial access.

CVE-2026-21668 (CVSS 8.8)

Authenticated users can bypass access restrictions to manipulate files on Backup Repository storage. This could enable backup destruction or modification.

Version 13 Also Affected

Organizations running the newer version 13 branch face additional vulnerabilities. The Veeam KB4738 advisory documents patches for:

• CVE-2026-21669 (Critical, 9.9): Domain user RCE, similar to the version 12 flaws
• CVE-2026-21671 (Critical, 9.1): Backup Administrators can execute code in high-availability deployments
• CVE-2026-21670 (High, 7.7): Low-privileged users can extract saved SSH credentials

The SSH credential extraction vulnerability is particularly concerning for organizations using Veeam to protect Linux infrastructure. Stolen credentials could enable lateral movement across the environment.

Why Ransomware Groups Care

Backup infrastructure has become the first target for sophisticated ransomware operations. Groups like Akira and Fog exploited previous Veeam vulnerabilities starting in late 2024, using CVE-2024-40711 to compromise backup servers before deploying ransomware across victim networks.

The strategy is straightforward: if attackers control backups, victims can't recover without paying. CISA added CVE-2024-40711 to its Known Exploited Vulnerabilities catalog after confirming active ransomware exploitation.

Today's patches address a new generation of flaws that could enable similar attacks. The low attack complexity and authentication requirements—any domain user—mean these vulnerabilities are accessible to attackers who have gained even minimal footholds in target environments.

Affected Versions and Patches

Branch	Vulnerable Versions	Fixed Version
12.x	12.3.2.4165 and earlier	12.3.2.4465
13.x	13.0.1.180 and earlier	13.0.1.2067

The patches are available through Veeam's knowledge base. Version 11.x and earlier builds are no longer supported and should be considered vulnerable to these and other unpatched flaws.

Immediate Actions

Security teams should prioritize these mitigations:

1. Patch immediately: Deploy version 12.3.2.4465 or 13.0.1.2067 before attackers develop exploits
2. Audit domain access: Review which domain accounts can reach Veeam servers
3. Check Backup Viewer permissions: Remove unnecessary Backup Viewer role assignments
4. Network segmentation: Isolate backup infrastructure from general user networks
5. Enable MFA: Require multi-factor authentication for all Veeam administrative access
6. Review SSH keys: Rotate any SSH credentials stored in Veeam if running version 13

Organizations should also audit recent backup server activity for anomalies. Attackers may have exploited these vulnerabilities before patches were available, establishing persistence for later ransomware deployment.

Broader Context

This marks the second major Veeam security update in 2026. January's patches addressed CVE-2025-59470, a CVSS 9.0 vulnerability enabling RCE through malicious backup configuration files. That disclosure also included three additional high-severity flaws.

The pattern underscores why backup infrastructure requires the same security attention as production systems. With groups like Everest actively targeting enterprise backup data, unpatched Veeam servers represent attractive entry points for attackers seeking maximum leverage over victims.

Veeam's 550,000+ customer base includes organizations across every industry vertical. Many rely on Backup & Replication to protect critical systems, making prompt patching essential for maintaining both data integrity and ransomware resilience.