Critical RCE and Privilege-Escalation Vulnerabilities Patched in Veeam Backup & Replication
Veeam released security updates for Veeam Backup & Replication (VBR) addressing multiple vulnerabilities, including four critical remote code execution (RCE) flaws that could allow code execution on backup servers under certain access conditions. Reported issues include RCE paths for low-privileged domain users (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669) and an additional RCE scenario where a Backup Viewer could achieve code execution as the postgres user (CVE-2026-21708). Veeam also fixed several high-severity issues enabling actions such as privilege escalation on Windows-based VBR servers, extraction of saved SSH credentials, and bypassing restrictions to manipulate arbitrary files on a Backup Repository.
The Canadian Centre for Cyber Security relayed Veeam’s advisory and urged organizations to apply updates, noting affected branches as VBR 12 and 13 prior to fixed releases. Veeam’s fixes are available in Veeam Backup & Replication 12.3.2.4465 and 13.0.1.2067, and the vendor warned that attackers commonly reverse-engineer patches shortly after release to target unpatched deployments—an elevated concern given VBR’s frequent targeting in ransomware operations. Other Canadian Centre advisories in the same period covered unrelated vendor updates (e.g., ABB, GitHub, Splunk, JetBrains, Hitachi, VMware, Fortinet, Mozilla) and do not describe the Veeam RCE issue.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues alert on Veeam advisories
On 2026-03-12, the Canadian Centre for Cyber Security published advisory AV26-229 highlighting Veeam's security advisories for Backup & Replication 12 and 13. It advised administrators to review the vendor guidance and apply the necessary updates.
Veeam publishes advisories and patches critical VBR flaws
On 2026-03-12, Veeam disclosed multiple vulnerabilities in Veeam Backup & Replication, including four critical remote code execution flaws and several high-severity issues affecting privilege escalation, SSH credential extraction, and file manipulation. The company released fixes in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067 and urged customers to upgrade quickly.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026
Critical Vulnerabilities Patched in Veeam Backup & Replication Software
Veeam has released security updates for its Backup & Replication software, addressing four significant vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability allows users with Backup or Tape Operator roles to execute arbitrary code as the `postgres` user by sending malicious parameters, posing a high risk due to the elevated privileges of these roles. Additional vulnerabilities addressed include CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469, which could allow RCE as root or the `postgres` user, or enable file writes as root. All issues affect Veeam Backup & Replication version 13.0.1.180 and earlier, and have been resolved in version 13.0.1.1071. Veeam has emphasized the importance of following its security guidelines to reduce exploitation risk, although there is no evidence of these vulnerabilities being exploited in the wild at this time. Security advisories from both Veeam and the Canadian Centre for Cyber Security urge users and administrators to review the official documentation and apply the necessary updates immediately to mitigate potential threats. Organizations are advised to ensure that only trusted personnel have access to privileged operator roles and to update their systems without delay.
Mar 21, 2026
Veeam Patches Critical RCE and Privilege Escalation Flaws Across Backup Products
Veeam released security updates for multiple products after disclosing several vulnerabilities that affect enterprise backup and monitoring environments, including **Veeam Backup & Replication**, **Veeam ONE**, and **Veeam Service Provider Console**. The most severe issue, **`CVE-2026-32998`**, is a critical remote code execution flaw in Veeam Service Provider Console with a **CVSS score of 9.4**; Veeam said it is fixed in **version `9.2.1.33875`**. Canadian Centre for Cyber Security advisory **AV26-513** said affected versions include Veeam Backup & Replication 13 releases before **`13.0.2.29`**, Veeam ONE releases before **`13.0.2.6723`**, and Veeam Service Provider Console 9.2 releases before **`9.2.1.33875`**, and urged administrators to apply the vendor updates. Veeam also patched **`CVE-2026-32996`**, a high-severity local privilege escalation flaw in **Veeam Agent for Microsoft Windows** that could let a low-privileged local user gain administrative control, and **`CVE-2026-32997`**, an arbitrary file write issue affecting Linux-based backup servers running the **Veeam Software Appliance** that could allow an authenticated backup administrator to modify system files. For organizations unable to patch immediately, Veeam provided a workaround for the Service Provider Console bug by disabling the `AlarmManagement_ScriptExecution` setting in the local configuration JSON file, while older reporting on **Veeam ONE** underscores the continued security focus on Veeam’s management stack.
May 28, 2026