Veeam Backup & Replication Critical Vulnerabilities

Overview

• Vendor: Veeam

• Product: Veeam Backup & Replication

• CVE: CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21671

• Severity: Critical

• Date: 13 March 2026

Summary

Veeam has released security advisories for four critical vulnerabilities affecting Veeam Backup and Replication and Veeam Software Appliance. The vulnerabilities allow authenticated users to execute remote code on affected systems. Successful exploitation could lead to compromise of backup infrastructure and associated environments.

Affected Version

• Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds.

• Veeam Backup & Replication 13.0.1.1071 and all earlier version 13 builds.

• Fixed versions:

  • Veeam Backup & Replication 12.3.2.4465

  • Veeam Backup & Replication 13.0.1.2067

Vulnerability Breakdown

CVE-2026-21666 - Remote Code Execution (Backup Server)

• Severity: Critical

• CVSS: 9.9

• Description: An authenticated domain user can perform remote code execution on the Veeam Backup Server.

• Impact: Remote code execution on the backup server, with potential full system and data compromise.

• Conditions: Authenticated domain user access required.

• Notes: Affects Veeam Backup & Replication version 12 builds up to 12.3.2.4165.

CVE-2026-21667 - Remote Code Execution (Backup Server)

• Severity: Critical

• CVSS: 9.9

• Description: An authenticated domain user can perform remote code execution on the Veeam Backup Server.

• Impact: Remote code execution on the backup server, with potential full system and data compromise.

• Conditions: Authenticated domain user access required.

• Notes: Affects Veeam Backup & Replication version 12 builds up to 12.3.2.4165.

CVE-2026-21669 - Remote Code Execution (Backup Server)

• Severity: Critical

• CVSS: 9.9

• Description: An authenticated domain user can perform remote code execution on the Veeam Backup Server.

• Impact: Remote code execution on the backup server, with potential full system and data compromise.

• Conditions: Authenticated domain user access required.

• Notes: Affected deployment type is Windows-based Veeam Backup & Replication (version 13 builds up to 13.0.1.1071).

CVE-2026-21671 - Remote Code Execution (HA deployments)

• Severity: Critical

• CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

• Description: An authenticated user with the Backup Administrator role can perform remote code execution in high availability deployments.

• Impact: Remote code execution affecting HA deployments, with potential takeover of backup infrastructure.

• Conditions: Backup Administrator role required.

• Notes: Affected deployment type is the Veeam Software Appliance.

Mitigation

• Patch immediately to:

  • Veeam Backup & Replication 12.3.2.4465 (for version 12 deployments)

  • Veeam Backup & Replication 13.0.1.2067 (for version 13 deployments)

• Review and limit access to Veeam roles, especially Backup Viewer and administrative roles.

• Restrict network access to management interfaces and backup infrastructure.

• Monitor for unusual activity on backup servers and repositories following patch deployment

Summary for IT Teams

• Products: Veeam Backup & Replication

• Threat Level: Critical (up to CVSS 9.9)

• Action Required: Patch immediately to the fixed builds for your major version and review privileged access to Veeam roles.

Reference

• Veeam Security Advisory KB4830

• Veeam Security Advisory KB4831

Need Help?

Secure ISS can help validate exposure, prioritise patching, and monitor for malicious activity affecting backup infrastructure. If you need urgent support, contact our SOC team on 1300 769 460.