Critical RCE Flaws in Veeam Backup & Replication and Rsync Require Patching
Authorities warned of critical vulnerabilities in two widely used backup and file synchronization products, with the most severe issues enabling remote code execution. In Veeam Backup & Replication version 12.3.1.1139 and all earlier 12.x releases, CVE-2025-23121 can allow code execution on a backup server when an authenticated domain user account is available, particularly on domain-joined systems. Two additional Veeam flaws, CVE-2025-24286 and CVE-2025-24287, can also lead to arbitrary code execution through backup job modification by an authenticated backup operator or by manipulating local directory contents as a local system user.
A separate alert covered Rsync version 3.3.0 and earlier, where six server-side vulnerabilities were disclosed. The most critical, CVE-2024-12084, can allow arbitrary code execution on a target Rsync server, while additional flaws include CVE-2024-12085, CVE-2024-12747, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088; the client application is not affected. Defenders were urged to apply vendor fixes immediately, including upgrading Veeam to version 12.3.2 build 12.3.2.3617 and installing patched Rsync packages provided by Linux distributors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Veeam discloses critical Backup & Replication flaws and provides patched version
Multiple vulnerabilities were disclosed in Veeam Backup & Replication 12.3.1.1139 and earlier 12.x releases, led by CVE-2025-23121, which can enable remote code execution on domain-joined backup servers when an authenticated domain user account is available. Veeam also addressed CVE-2025-24286 and CVE-2025-24287 and made a corrective update available in version 12.3.2 build 12.3.2.3617.
Rsync discloses six server-side vulnerabilities and releases fixes
The Rsync project disclosed six vulnerabilities affecting Rsync server implementations in version 3.3.0 and earlier, including critical RCE flaw CVE-2024-12084. Fixes were released for CVE-2024-12084, CVE-2024-12085, CVE-2024-12747, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, with no known exploitation or public exploit code reported at the time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Kriittinen haavoittuvuus Veeam Backup & Replication -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus Veeam Backup & Replication -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen rsync-haavoittuvuus vaatii välitöntä korjausta | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen rsync-haavoittuvuus vaatii välitöntä korjausta | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026
Critical RCE and Privilege-Escalation Vulnerabilities Patched in Veeam Backup & Replication
**Veeam** released security updates for *Veeam Backup & Replication (VBR)* addressing multiple vulnerabilities, including **four critical remote code execution (RCE) flaws** that could allow code execution on backup servers under certain access conditions. Reported issues include RCE paths for low-privileged domain users (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669) and an additional RCE scenario where a Backup Viewer could achieve code execution as the `postgres` user (CVE-2026-21708). Veeam also fixed several high-severity issues enabling actions such as privilege escalation on Windows-based VBR servers, extraction of saved SSH credentials, and bypassing restrictions to manipulate arbitrary files on a Backup Repository. The Canadian Centre for Cyber Security relayed Veeam’s advisory and urged organizations to apply updates, noting affected branches as VBR 12 and 13 prior to fixed releases. Veeam’s fixes are available in **Veeam Backup & Replication 12.3.2.4465** and **13.0.1.2067**, and the vendor warned that attackers commonly reverse-engineer patches shortly after release to target unpatched deployments—an elevated concern given VBR’s frequent targeting in ransomware operations. Other Canadian Centre advisories in the same period covered unrelated vendor updates (e.g., ABB, GitHub, Splunk, JetBrains, Hitachi, VMware, Fortinet, Mozilla) and do not describe the Veeam RCE issue.
Mar 21, 2026
Critical RCE in Veeam Backup & Replication Exposes Domain-Joined Servers
Veeam has released fixes for a critical remote code execution flaw in **Veeam Backup & Replication**, tracked as `CVE-2026-44963`, affecting version `12.3.2.4465` and earlier `12.x` builds on **Windows domain-joined** servers. The vulnerability was reported by WatchTowr researcher **Sina Kheirkhah** and allows any **authenticated low-privileged domain user** to execute arbitrary code on the backup server, giving attackers a path to compromise backup infrastructure in Active Directory environments. Veeam says **version 13.x is not affected** because of architectural changes, and the issue is resolved in **Veeam Backup & Replication `12.3.2.4854`**. The flaw has not been publicly reported as exploited, but Veeam warned that attackers often reverse-engineer patches quickly to target unpatched systems. The issue carries a **CVSS v4 score of 9.4** and is especially serious because backup servers are frequent ransomware targets: compromising them can enable **data theft, lateral movement, privilege escalation, and destruction of backups**. Reporting on the disclosure also pointed to earlier Veeam-focused attacks, including abuse of `CVE-2024-40711` by **Akira, Fog, and Frag**, underscoring the need for organizations to patch immediately, review domain-joined deployments, restrict unnecessary domain user access, and closely monitor backup infrastructure.
Jun 11, 2026