Veeam has issued critical security updates addressing multiple high-severity vulnerabilities within its Backup & Replication software. The disclosures, detailed on March 13, 2026, highlight potential avenues for remote code execution and system manipulation by authenticated users, posing a significant risk to enterprise security. Immediate patching is strongly advised to mitigate the threat of exploitation by malicious actors.
Critical Vulnerabilities Affecting Veeam Backup & Replication
Veeam, a leading provider of backup solutions, has identified and patched several critical security flaws in its widely-used Backup & Replication software. The vulnerabilities, if exploited, could grant attackers the ability to execute arbitrary code remotely on the backup server, bypass security restrictions, and manipulate sensitive data. The company’s advisory emphasizes the urgent need for users of affected versions to apply the latest security updates.
Among the most severe is CVE-2026-21666, which carries a CVSS score of 9.9. This vulnerability allows an authenticated domain user to achieve remote code execution on the Backup Server. Similarly, CVE-2026-21667, also rated at 9.9, presents the same remote code execution risk under similar conditions. These findings underscore the sophisticated nature of the threats enterprises face in maintaining robust cybersecurity defenses.
Additional vulnerabilities outlined by Veeam include CVE-2026-21668 and CVE-2026-21672, both rated with a CVSS score of 8.8. The former permits authenticated domain users to bypass restrictions and manipulate arbitrary files on a Backup Repository, potentially leading to data corruption or unauthorized access. The latter enables local privilege escalation on Windows-based Veeam Backup & Replication servers, allowing an attacker with initial access to gain higher levels of control.
Furthermore, CVE-2026-21708, a critical flaw with a CVSS score of 9.9, allows a Backup Viewer to perform remote code execution as the postgres user. This is particularly concerning as it exploits a privileged account within the backup infrastructure, which typically houses vast amounts of critical data.
Details on Patched Versions and Additional Flaws
The vulnerabilities detailed above affect Veeam Backup & Replication version 12.3.2.4165 and all prior builds of version 12. These issues have been addressed in version 12.3.2.4465. However, two other critical security flaws, CVE-2026-21669 and CVE-2026-21671, have also been fixed and are addressed in Backup & Replication 13.0.1.2067.
CVE-2026-21669, with a CVSS score of 9.9, also allows an authenticated domain user to perform remote code execution on the Backup Server, mirroring the risk presented by some of the earlier identified vulnerabilities. Meanwhile, CVE-2026-21671, rated at a CVSS score of 9.1, poses a significant threat by allowing an authenticated user with the Backup Administrator role to execute remote code in high availability (HA) deployments of Veeam Backup & Replication. This highlights the potential for widespread disruption in complex environments.
Veeam has explicitly warned that once a vulnerability and its corresponding patch are publicly disclosed, attackers will invariably attempt to reverse-engineer the patch to target unpatched systems. This process, known as patch-gapping, is a common tactic used by threat actors to exploit known weaknesses before organizations can implement the necessary fixes.
The company’s advisory underscores the historical use of vulnerabilities in Veeam software by threat actors to facilitate ransomware attacks. Given this context, it is imperative for all users to upgrade their Veeam Backup & Replication instances to the latest available versions without delay. Proactive patching is the most effective defense against these evolving cybersecurity threats.
Organizations are advised to consult Veeam’s official security advisories for detailed instructions on applying the latest updates. Failure to do so could leave critical backup infrastructure exposed to potentially devastating attacks, compromising data integrity and business continuity. The implications of these vulnerabilities serve as a stark reminder of the constant vigilance required in the realm of enterprise security and the critical role of timely software updates.