7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
Multiple critical vulnerabilities have been identified in Veeam Backup & Replication that could allow authenticated users to execute arbitrary code on the Veeam Backup Server. These flaws affect core backup infrastructure and could enable attackers with valid domain credentials or low-privileged roles to execute commands on the system and potentially compromise backup environments. Successful exploitation may lead to full control of backup servers and access to sensitive backup data, increasing the risk of ransomware impact and recovery disruption.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Remote Code Execution Vulnerability in Veeam Backup & Replication
CVSS Score: 9.9 (Critical, CVSS v3.1)
Identifier: CVE-2026-21666, CVE-2026-21667
PoC or Exploitation:
No confirmed reports of active exploitation in the wild and no publicly available proof-of-concept exploit code at this time.
Update/ Patch:
Veeam has released security updates to address this vulnerability.
Affected versions include:
Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds.
Fixed version:
Veeam Backup & Replication 12.3.2.4465 and later.
Veeam advisory and patch guidance:
Description:
CVE-2026-21666 and CVE-2026-21667 are critical remote code execution vulnerabilities affecting Veeam Backup & Replication. The vulnerability allows an authenticated domain user to execute arbitrary code on the Veeam Backup Server.
An attacker with valid domain credentials could exploit this flaw to run malicious code on the backup infrastructure.
Mitigation Recommendation:
Immediately upgrade Veeam Backup & Replication to version 12.3.2.4465 or later.
Restrict administrative and service access to the Veeam Backup Server to trusted management networks only.
Remote Code Execution Vulnerability in Veeam Backup & Replication
CVSS Score: 9.9 (Critical, CVSS v3.1)
Identifier: CVE-2026-20128
PoC or Exploitation:
As of the vendor advisory release, there are no confirmed reports of active exploitation in the wild and no publicly available proof-of-concept exploit code.
Update/ Patch:
Veeam has released security updates addressing this vulnerability.
Affected versions include:
Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds.
Fixed version:
Veeam Backup & Replication 12.3.2.4465 and later.
Veeam advisory and patch guidance:
Description:
CVE-2026-21708 is a critical remote code execution vulnerability affecting Veeam Backup & Replication. The vulnerability allows a user with the Backup Viewer role to execute arbitrary code as the postgres user on the Veeam system.
Exploitation of this vulnerability could allow a low-privileged user to escalate their capabilities and execute malicious commands on the underlying system.
Exploitation of this vulnerability could allow a low-privileged user to escalate their capabilities and execute malicious commands on the underlying system.
Mitigation Recommendation:
Immediately upgrade Veeam Backup & Replication to version 12.3.2.4465 or later.
Restrict and review role-based access permissions within Veeam Backup & Replication, especially accounts assigned the Backup Viewer role.
Restrict and review role-based access permissions within Veeam Backup & Replication, especially accounts assigned the Backup Viewer role.
