Veeam has recently issued security updates to fix multiple critical vulnerabilities in its Backup & Replication software that, if exploited, could lead to remote code execution.
The identified vulnerabilities are as follows –
- CVE-2026-21666 (CVSS score: 9.9) – An issue that enables an authenticated domain user to execute remote code on the Backup Server.
- CVE-2026-21667 (CVSS score: 9.9) – An issue that allows an authenticated domain user to execute remote code on the Backup Server.
- CVE-2026-21668 (CVSS score: 8.8) – An issue that enables an authenticated domain user to bypass restrictions and manipulate files on a Backup Repository.
- CVE-2026-21672 (CVSS score: 8.8) – An issue that allows local privilege escalation on Windows-based Veeam Backup & Replication servers.
- CVE-2026-21708 (CVSS score: 9.9) – An issue that enables a Backup Viewer to execute remote code as the postgres user.
These vulnerabilities affect Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds. The fixes have been implemented in version 12.3.2.4465. Additionally, CVE-2026-21672 and CVE-2026-21708 have been addressed in Backup & Replication 13.0.1.2067, which also resolves two other critical security issues –
- CVE-2026-21669 (CVSS score: 9.9) – An issue that allows an authenticated domain user to execute remote code on the Backup Server.
- CVE-2026-21671 (CVSS score: 9.1) – An issue that enables an authenticated user with the Backup Administrator role to execute remote code in high availability (HA) setups of Veeam Backup & Replication.
The company emphasized the importance of promptly updating Veeam software to the latest version to mitigate potential risks. Once a vulnerability is disclosed, threat actors may attempt to exploit unpatched systems.
Given the history of ransomware attacks exploiting vulnerabilities in Veeam software, it is crucial for users to stay vigilant and ensure their systems are up to date.
