Veeam Backup & Replication critical RCE flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Veeam Backup & Replication has been patched for four critical RCE vulnerabilities, closing a path that could let low-privileged users and a Backup Viewer run code on vulnerable backup servers. Three of the flaws are CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669; the fourth is CVE-2026-21708, which can elevate a Backup Viewer to remote code execution as the postgres user. Veeam fixed the issues in 12.3.2.4465 and 13.0.1.2067 and urged admins to upgrade quickly because exposed backup systems are attractive targets for ransomware crews.
Timeline
-
12.03.2026 18:59 2 articles · 2mo ago
Veeam patches critical Veeam Backup & Replication RCE flaws
Mitigation Patch UpdateVeeam Software patched multiple flaws in Veeam Backup & Replication, including four critical RCE vulnerabilities tracked as CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708. The company also fixed high-severity issues that could escalate privileges on Windows-based Veeam Backup & Replication servers, extract saved SSH credentials, or bypass restrictions to manipulate arbitrary files on a Backup Repository, and said the issues were resolved in versions 12.3.2.4465 and 13.0.1.2067.
Show sources
- Veeam warns of critical flaws exposing backup servers to RCE attacks — www.bleepingcomputer.com — 12.03.2026 18:59
- Veeam warns of critical flaws exposing backup servers to RCE attacks — www.bleepingcomputer.com — 12.03.2026 18:59