Veeam Releases Critical Security Patches to Address Remote Code Execution Vulnerabilities
On March 12, 2026, Veeam Software issued a critical security update for its Backup & Replication software, addressing multiple vulnerabilities that could allow attackers to execute remote code and escalate privileges. This update, identified as Build 12.3.2.4465, is essential for administrators aiming to secure their backup infrastructures against potential threats.
Overview of Critical Vulnerabilities
The update resolves three critical-severity vulnerabilities, each with a CVSS 3.1 score of 9.9, indicating their high potential for exploitation:
– CVE-2026-21666: This flaw enables an authenticated domain user to execute arbitrary remote code directly on the Veeam Backup Server, potentially leading to full system compromise.
– CVE-2026-21667: Similar to the previous vulnerability, this issue allows an authenticated domain user to trigger remote code execution on the Backup Server, posing significant risks to data integrity and system security.
– CVE-2026-21708: This critical vulnerability permits an attacker with Backup Viewer permissions to perform remote code execution as the internal PostgreSQL user, granting unauthorized control over backend database processes.
In addition to these critical vulnerabilities, Veeam addressed two high-severity issues, each with a CVSS score of 8.8:
– CVE-2026-21668: This vulnerability allows an authenticated domain user to manipulate arbitrary files located on a Backup Repository, potentially compromising backup integrity.
– CVE-2026-21672: A local privilege escalation flaw affecting Windows-based Veeam Backup & Replication servers, enabling an attacker with limited local access to elevate their system privileges.
Technical Enhancements and Fixes
Beyond addressing these vulnerabilities, Build 12.3.2.4465 includes several technical improvements to enhance overall system security:
– Component Upgrades: The update upgrades core components, including Decode-uri-component to version 0.2.2, Newtonsoft.Json to 13.0.3, and Path-to-RegExp to 1.9.0, strengthening the software’s resilience against potential exploits.
– Operational Fixes: The release resolves issues such as the deserialization error that previously caused PostgreSQL item restores initiated from Enterprise Manager to fail.
Recommendations for Administrators
Veeam strongly advises administrators to apply this security patch immediately to mitigate the risks associated with these vulnerabilities. To verify the current version, open the Veeam Backup & Replication Console’s Main Menu and navigate to Help, then About.
For organizations running version 12.3.2 (builds 12.3.2.3617 or 12.3.2.4165), a smaller dedicated patch file is available as either an ISO or an EXE. Deployments on older versions, such as 12.3.1 or earlier, must use the full installation ISO to upgrade to the secure 12.3.2.4465 build.
Ensuring that downloaded files are unblocked before running the installer is crucial to prevent operational errors. Regularly updating Veeam backup software is a critical component of maintaining modern infrastructure security.
