Full Report
Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution. The vulnerabilities are as follows - CVE-2026-21666 (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. CVE-2026-21667 (
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Veeam Backup & Replication
## CVE Details
- **CVE-2026-21666**: 9.9 (Critical) - Authenticated RCE on Backup Server
- **CVE-2026-21667**: 9.9 (Critical) - Authenticated RCE on Backup Server
- **CVE-2026-21669**: 9.9 (Critical) - Authenticated RCE on Backup Server
- **CVE-2026-21708**: 9.9 (Critical) - RCE as Postgres user
- **CVE-2026-21671**: 9.1 (Critical) - RCE in HA deployments
- **CVE-2026-21668**: 8.8 (High) - Arbitrary file manipulation
- **CVE-2026-21672**: 8.8 (High) - Local Privilege Escalation (LPE)
## Affected Systems
- **Products**: Veeam Backup & Replication
- **Versions**:
- All version 12 builds prior to 12.3.2.4165.
- Version 13.x builds prior to 13.0.1.2067.
- **Configurations**: Windows-based Backup & Replication servers; High Availability (HA) deployments (for CVE-2026-21671).
## Vulnerability Description
This suite of vulnerabilities primarily consists of Remote Code Execution (RCE) flaws. The most severe (CVE-2026-21666, -21667, -21669) allow an authenticated domain user to execute code on the Backup Server. Other flaws involve bypassing restrictions to manipulate files on repositories, elevating local privileges on Windows servers, or executing code specifically under the context of the `postgres` user via the Backup Viewer role.
## Exploitation
- **Status**: Not exploited (at time of report); however, Veeam warns that reverse-engineering of the patch by threat actors is highly likely.
- **Complexity**: Variable (Technical details suggest Low to Medium for authenticated users).
- **Attack Vector**: Network (RCE) and Local (LPE).
## Impact
- **Confidentiality**: High (Full system access and data exposure).
- **Integrity**: High (Arbitrary file manipulation and code execution).
- **Availability**: High (Potential for system takeover or ransomware deployment).
## Remediation
### Patches
Veeam recommends updating to the following versions immediately:
- **Veeam Backup & Replication v12**: Update to version **12.3.2.4465** (KB4696).
- **Veeam Backup & Replication v13**: Update to version **13.0.1.2067** (KB4738).
### Workarounds
No specific functional workarounds were provided; immediate patching is the strongly recommended course of action due to the critical nature of RCE.
## Detection
- **Indicators of Compromise**: Monitor for unusual service account activity, specifically accounts associated with Veeam services or the `postgres` user.
- **Detection methods and tools**: Review Windows Event Logs and Veeam-specific logs for unauthorized file manipulation or unexpected command executions originating from domain user accounts.
## References
- **Vendor Advisories**:
- hxxps[://]www[.]veeam[.]com/kb4830
- hxxps[://]www[.]veeam[.]com/kb4831
- hxxps[://]www[.]veeam[.]com/kb4696
- hxxps[://]www[.]veeam[.]com/kb4738
- **Source Article**: hxxps[://]thehackernews[.]com/2026/03/veeam-patches-7-critical-backup[.]html