High

Arbitrary File Write in Linux-based Veeam Backup & Replication Server

IdentifiersCVE-2026-32997CWE-36· Absolute Path Traversal

CVE-2026-32997 is an authenticated arbitrary file write vulnerability affecting Linux-based Veeam Backup & Replication servers, specifically Linux-based backup servers operating the Veeam Software Appliance. According to the provided content, a user authenticated with the Backup Administrator role can exploit the flaw to write arbitrary files and modify system files on the affected server. The CVE record classifies the issue as CWE-36, indicating an absolute path traversal weakness underlying the arbitrary file write condition. No more specific vulnerable function or code path is provided in the available information.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated Backup Administrator to write arbitrary files on the Linux-based Veeam Backup & Replication server and modify system files. This can compromise the confidentiality, integrity, and availability of the affected system, as reflected in the provided CVSS v4.0 metadata indicating high impact across those dimensions. Depending on what files are overwritten or created, this could enable broader system compromise or operational disruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict and closely monitor assignment and use of the Backup Administrator role, as exploitation requires authenticated access with that privilege level. Limit network access to management interfaces, reduce exposure of the Linux-based backup server to only trusted administrative networks, and monitor for unexpected modification of system files. No vendor-specific workaround beyond updating is provided in the available information.

Remediation

Patch, then assume compromise.

Apply Veeam's security update for the affected Linux-based Veeam Software Appliance / Backup & Replication deployment. The provided content states that Veeam resolved this vulnerability by releasing version 13.0.2. Review and follow Veeam advisory KB4852 for vendor-specific upgrade guidance: https://www.veeam.com/kb4852.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Veeam SoftwareBackup & Replicationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

security online infoNews

May 28, 2026

Veeam Security Vulnerabilities: Critical Patches Released

An arbitrary file write vulnerability in the Linux-based Veeam Software Appliance that allows an authenticated backup administrator to modify system files.

cvefeed high severityNews

May 28, 2026

CVE-2026-32997 - Veeam Backup & Replication Server Authenticated File Write Vulnerability

An arbitrary file write vulnerability in Linux-based Veeam Backup & Replication servers that can be exploited by an authenticated user with the Backup Administrator role.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-32997

NVD

nvd.nist.gov/vuln/detail/CVE-2026-32997

MITRE CWE · CWE-36

Absolute Path Traversal

veeam.com

veeam.com/kb4852