Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
Veeam released security updates for Backup & Replication to address multiple high-severity flaws, including several remote code execution issues affecting version 12.3.2.4165 and all earlier version 12 builds. The disclosed vulnerabilities include CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, and CVE-2026-21708, with several carrying CVSS 9.9 ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers.
Veeam said the issues were fixed in Backup & Replication version 12.3.2.4465, while CVE-2026-21672 and CVE-2026-21708 were also remediated in version 13.0.1.2067, alongside additional critical flaws CVE-2026-21669 and CVE-2026-21671. The company warned that public patch disclosure increases the likelihood of patch reverse engineering and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Security outlets and national defenders amplify urgent patch guidance
By 2026-03-13, multiple security news outlets and Belgium's CCB were warning organizations to patch Veeam Backup & Replication immediately because of multiple critical vulnerabilities. Coverage highlighted the risk to backup infrastructure and the potential for rapid targeting of unpatched systems.
Technical details published for CVE-2026-21666 RCE flaw
On 2026-03-12, public reporting described CVE-2026-21666 as an authenticated remote code execution vulnerability caused by improper neutralization of CRLF sequences in Veeam Backup Server input handling. The write-up explained that crafted configuration parameters for Linux-based backup components could inject directives and execute attacker-controlled commands.
Veeam issues version 13 advisory for additional critical vulnerabilities
On 2026-03-12, Veeam also published KB4831 for Backup & Replication version 13.0.1.2067, addressing additional critical vulnerabilities beyond those fixed in the version 12 update. This established separate remediation guidance for customers on the newer major release.
Veeam publishes advisories and patches seven Backup & Replication flaws
On 2026-03-12, Veeam released KB4830 and security build 12.3.2.4465 to fix seven vulnerabilities in Veeam Backup & Replication version 12, including critical remote code execution, privilege escalation, and arbitrary file manipulation issues. The flaws affected version 12.3.2.4165 and all earlier version 12 builds, and Veeam warned administrators to patch quickly because attackers could reverse-engineer the update.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Veeam Security Patch Fixes Critical RCE In Backup Platform
thecyberexpress.com
Open sourceVeeam Patches Multiple Critical RCE Vulnerabilities on Backup Server
cybersecuritynews.com
Open sourceVeeam Patches 7 Critical Backup & Replication Flaws Allowing Remote Code Execution
thehackernews.com
Open sourceVeeam warns admins to patch now as critical RCE flaws hit Backup & Replication | CSO Online
csoonline.com
Open sourceWarning: Multiple Critical Vulnerabilities in Veeam Backup & Replication, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourceCVE-2026-21666: CVE-2026-21666: Authenticated Remote Code Execution in Veeam Backup & Replication | CVEReports
cvereports.com
Open sourceKB4830: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4465
veeam.com
Open sourceKB4831: Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.2067
veeam.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical RCE and Privilege-Escalation Vulnerabilities Patched in Veeam Backup & Replication
**Veeam** released security updates for *Veeam Backup & Replication (VBR)* addressing multiple vulnerabilities, including **four critical remote code execution (RCE) flaws** that could allow code execution on backup servers under certain access conditions. Reported issues include RCE paths for low-privileged domain users (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669) and an additional RCE scenario where a Backup Viewer could achieve code execution as the `postgres` user (CVE-2026-21708). Veeam also fixed several high-severity issues enabling actions such as privilege escalation on Windows-based VBR servers, extraction of saved SSH credentials, and bypassing restrictions to manipulate arbitrary files on a Backup Repository. The Canadian Centre for Cyber Security relayed Veeam’s advisory and urged organizations to apply updates, noting affected branches as VBR 12 and 13 prior to fixed releases. Veeam’s fixes are available in **Veeam Backup & Replication 12.3.2.4465** and **13.0.1.2067**, and the vendor warned that attackers commonly reverse-engineer patches shortly after release to target unpatched deployments—an elevated concern given VBR’s frequent targeting in ransomware operations. Other Canadian Centre advisories in the same period covered unrelated vendor updates (e.g., ABB, GitHub, Splunk, JetBrains, Hitachi, VMware, Fortinet, Mozilla) and do not describe the Veeam RCE issue.
Mar 21, 2026
Critical RCE in Veeam Backup & Replication Exposes Domain-Joined Servers
Veeam has released fixes for a critical remote code execution flaw in **Veeam Backup & Replication**, tracked as `CVE-2026-44963`, affecting version `12.3.2.4465` and earlier `12.x` builds on **Windows domain-joined** servers. The vulnerability was reported by WatchTowr researcher **Sina Kheirkhah** and allows any **authenticated low-privileged domain user** to execute arbitrary code on the backup server, giving attackers a path to compromise backup infrastructure in Active Directory environments. Veeam says **version 13.x is not affected** because of architectural changes, and the issue is resolved in **Veeam Backup & Replication `12.3.2.4854`**. The flaw has not been publicly reported as exploited, but Veeam warned that attackers often reverse-engineer patches quickly to target unpatched systems. The issue carries a **CVSS v4 score of 9.4** and is especially serious because backup servers are frequent ransomware targets: compromising them can enable **data theft, lateral movement, privilege escalation, and destruction of backups**. Reporting on the disclosure also pointed to earlier Veeam-focused attacks, including abuse of `CVE-2024-40711` by **Akira, Fog, and Frag**, underscoring the need for organizations to patch immediately, review domain-joined deployments, restrict unnecessary domain user access, and closely monitor backup infrastructure.
Jun 11, 2026
Critical Vulnerabilities Patched in Veeam Backup & Replication Software
Veeam has released security updates for its Backup & Replication software, addressing four significant vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability allows users with Backup or Tape Operator roles to execute arbitrary code as the `postgres` user by sending malicious parameters, posing a high risk due to the elevated privileges of these roles. Additional vulnerabilities addressed include CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469, which could allow RCE as root or the `postgres` user, or enable file writes as root. All issues affect Veeam Backup & Replication version 13.0.1.180 and earlier, and have been resolved in version 13.0.1.1071. Veeam has emphasized the importance of following its security guidelines to reduce exploitation risk, although there is no evidence of these vulnerabilities being exploited in the wild at this time. Security advisories from both Veeam and the Canadian Centre for Cyber Security urge users and administrators to review the official documentation and apply the necessary updates immediately to mitigate potential threats. Organizations are advised to ensure that only trusted personnel have access to privileged operator roles and to update their systems without delay.
Mar 21, 2026