Veeam Patches Critical RCE and Privilege Escalation Flaws Across Backup Products
Veeam released security updates for multiple products after disclosing several vulnerabilities that affect enterprise backup and monitoring environments, including Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console. The most severe issue, CVE-2026-32998, is a critical remote code execution flaw in Veeam Service Provider Console with a CVSS score of 9.4; Veeam said it is fixed in version 9.2.1.33875. Canadian Centre for Cyber Security advisory AV26-513 said affected versions include Veeam Backup & Replication 13 releases before 13.0.2.29, Veeam ONE releases before 13.0.2.6723, and Veeam Service Provider Console 9.2 releases before 9.2.1.33875, and urged administrators to apply the vendor updates.
Veeam also patched CVE-2026-32996, a high-severity local privilege escalation flaw in Veeam Agent for Microsoft Windows that could let a low-privileged local user gain administrative control, and CVE-2026-32997, an arbitrary file write issue affecting Linux-based backup servers running the Veeam Software Appliance that could allow an authenticated backup administrator to modify system files. For organizations unable to patch immediately, Veeam provided a workaround for the Service Provider Console bug by disabling the AlarmManagement_ScriptExecution setting in the local configuration JSON file, while older reporting on Veeam ONE underscores the continued security focus on Veeam’s management stack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Veeam patches CVE-2026-32997 affecting Linux-based backup servers
Veeam fixed CVE-2026-32997, an arbitrary file write vulnerability affecting Linux-based backup servers running the Veeam Software Appliance. The issue could allow an authenticated backup administrator to modify system files.
Veeam patches CVE-2026-32996 in Veeam Agent for Microsoft Windows
Veeam addressed CVE-2026-32996, a high-severity local privilege escalation vulnerability in Veeam Agent for Microsoft Windows. According to the report, the flaw could allow a low-privileged local attacker to gain administrative control and was reported by researcher "Alibabas."
Veeam fixes critical CVE-2026-32998 in Service Provider Console
Veeam released a fix for CVE-2026-32998, a critical remote code execution vulnerability in Veeam Service Provider Console with a CVSS score of 9.4. The flaw was discovered by researcher "putsi" through HackerOne, and Veeam said it is fixed in version 9.2.1.33875 while also providing a workaround to disable AlarmManagement_ScriptExecution in the local configuration JSON file.
Veeam publishes security advisories and patches multiple product flaws
On 2026-05-27, Veeam published security advisories addressing vulnerabilities in multiple products, including Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console. The advisories covered affected versions prior to Backup & Replication 13.0.2.29, Veeam ONE 13.0.2.6723, and Service Provider Console 9.2.1.33875.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
cybersecuritynews.com
Open sourceVeeam Security Vulnerabilities: Critical Patches Released
securityonline.info
Open sourceVeeam security advisory (AV26-513) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceKB4852: Vulnerabilities Resolved in Veeam Backup & Replication 13.0.2
veeam.com
Open sourceCritical Flaws Discovered in Veeam ONE IT Monitoring Software - Patch Now
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical RCE and Privilege-Escalation Vulnerabilities Patched in Veeam Backup & Replication
**Veeam** released security updates for *Veeam Backup & Replication (VBR)* addressing multiple vulnerabilities, including **four critical remote code execution (RCE) flaws** that could allow code execution on backup servers under certain access conditions. Reported issues include RCE paths for low-privileged domain users (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669) and an additional RCE scenario where a Backup Viewer could achieve code execution as the `postgres` user (CVE-2026-21708). Veeam also fixed several high-severity issues enabling actions such as privilege escalation on Windows-based VBR servers, extraction of saved SSH credentials, and bypassing restrictions to manipulate arbitrary files on a Backup Repository. The Canadian Centre for Cyber Security relayed Veeam’s advisory and urged organizations to apply updates, noting affected branches as VBR 12 and 13 prior to fixed releases. Veeam’s fixes are available in **Veeam Backup & Replication 12.3.2.4465** and **13.0.1.2067**, and the vendor warned that attackers commonly reverse-engineer patches shortly after release to target unpatched deployments—an elevated concern given VBR’s frequent targeting in ransomware operations. Other Canadian Centre advisories in the same period covered unrelated vendor updates (e.g., ABB, GitHub, Splunk, JetBrains, Hitachi, VMware, Fortinet, Mozilla) and do not describe the Veeam RCE issue.
Mar 21, 2026
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026
Critical Vulnerabilities Patched in Veeam Backup & Replication Software
Veeam has released security updates for its Backup & Replication software, addressing four significant vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 with a CVSS score of 9.0. This vulnerability allows users with Backup or Tape Operator roles to execute arbitrary code as the `postgres` user by sending malicious parameters, posing a high risk due to the elevated privileges of these roles. Additional vulnerabilities addressed include CVE-2025-55125, CVE-2025-59468, and CVE-2025-59469, which could allow RCE as root or the `postgres` user, or enable file writes as root. All issues affect Veeam Backup & Replication version 13.0.1.180 and earlier, and have been resolved in version 13.0.1.1071. Veeam has emphasized the importance of following its security guidelines to reduce exploitation risk, although there is no evidence of these vulnerabilities being exploited in the wild at this time. Security advisories from both Veeam and the Canadian Centre for Cyber Security urge users and administrators to review the official documentation and apply the necessary updates immediately to mitigate potential threats. Organizations are advised to ensure that only trusted personnel have access to privileged operator roles and to update their systems without delay.
Mar 21, 2026