Veeam Addresses Seven Critical Vulnerabilities in Backup & Replication Software
Veeam has recently released security updates to rectify seven critical vulnerabilities in its Backup & Replication software. These flaws, if exploited, could allow attackers to execute remote code, potentially compromising entire systems.
Detailed Overview of the Vulnerabilities:
1. CVE-2026-21666 (CVSS Score: 9.9): This vulnerability permits an authenticated domain user to execute remote code on the Backup Server.
2. CVE-2026-21667 (CVSS Score: 9.9): Similar to the previous flaw, this issue allows an authenticated domain user to perform remote code execution on the Backup Server.
3. CVE-2026-21668 (CVSS Score: 8.8): An authenticated domain user can bypass restrictions and manipulate arbitrary files on a Backup Repository, potentially leading to unauthorized data access or modification.
4. CVE-2026-21672 (CVSS Score: 8.8): This vulnerability enables local privilege escalation on Windows-based Veeam Backup & Replication servers, allowing attackers to gain elevated access rights.
5. CVE-2026-21708 (CVSS Score: 9.9): A user with the Backup Viewer role can execute remote code as the postgres user, posing significant security risks.
6. CVE-2026-21669 (CVSS Score: 9.9): This flaw allows an authenticated domain user to perform remote code execution on the Backup Server.
7. CVE-2026-21671 (CVSS Score: 9.1): An authenticated user with the Backup Administrator role can execute remote code in high availability (HA) deployments of Veeam Backup & Replication.
Affected Versions and Patches:
These vulnerabilities impact Veeam Backup & Replication version 12.3.2.4165 and all earlier builds. The company has addressed these issues in version 12.3.2.4465. Additionally, CVE-2026-21672 and CVE-2026-21708 have been resolved in Backup & Replication version 13.0.1.2067, along with CVE-2026-21669 and CVE-2026-21671.
Implications and Recommendations:
Veeam emphasizes the importance of promptly applying these patches. Once vulnerabilities and their corresponding patches are disclosed, attackers often attempt to reverse-engineer the fixes to exploit unpatched systems. Given the history of threat actors exploiting vulnerabilities in Veeam software to deploy ransomware, it is crucial for users to update their systems to the latest versions to mitigate potential threats.
