Veeam Patches Seven Critical Backup Flaws Allowing Remote Code Execution

Veeam has released security updates to fix seven critical vulnerabilities in its Backup & Replication software that Veeam said could allow remote code execution and privilege escalation if exploited.

Veeam listed the affected issues by CVE and impact. The company said the most severe allow low-privileged domain users to execute code on Backup Servers and a Backup Viewer to run code as the postgres user. Veeam named the following tracked flaws: CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708 as critical remote code execution issues, plus CVE-2026-21668 and CVE-2026-21672 that allow repository file manipulation and local privilege escalation, and CVE-2026-21671 that affects HA deployments.

According to Veeam, the problems affect Backup & Replication 12.3.2.4165 and earlier 12.x builds and are addressed in version 12.3.2.4465. Veeam also said CVE-2026-21672 and CVE-2026-21708 were fixed in 13.0.1.2067, which also includes fixes for CVE-2026-21669 and CVE-2026-21671.

Veeam told customers the issues were found during internal testing and through HackerOne reports. The vendor warned administrators to apply updates promptly because, as Veeam put it, “once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software.”

Veeam explained the exploitability varies by flaw. The company said three RCE bugs allow low-privileged domain users to run commands on vulnerable backup servers with relatively low complexity, and another bug grants Backup Viewer rights the ability to achieve code execution as the postgres account. Veeam also highlighted high-severity issues that can expose saved SSH credentials, permit arbitrary file manipulation on backup repositories, or be used to escalate privileges on Windows-based VBR servers.

The vendor emphasized urgency because Backup & Replication servers are attractive targets. Veeam noted that its software is widely deployed, saying its products are used by more than 550,000 customers worldwide, and that backup servers have been targeted in past ransomware operations. Veeam pointed to previous incidents that security researchers have linked to groups such as FIN7 and the Cuba ransomware gang.

Security responders at Sophos X-Ops also reported that Frag ransomware exploited an earlier VBR RCE bug, and that the same weakness was subsequently used by Akira and Fog ransomware families. These examples, Veeam said, show how quickly threat actors can weaponize backup-focused vulnerabilities.

Veeam urged customers to upgrade to the fixed releases immediately and to follow standard mitigations such as limiting administrative access to backup infrastructure and isolating backup servers from general user networks. “This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay,” Veeam said.

Administrators running affected versions should schedule patching, verify backups before and after updates, and monitor logs for suspicious activity. Veeam advised organizations that cannot patch immediately to apply compensating controls and contact Veeam support for guidance.

#Veeam #Vulnerabilities #Ransomware #Cybersecurity #PatchNow