An important Veeam security patch to address multiple vulnerabilities in its Backup & Replication platform that potentially allowed attackers to execute malicious code remotely, has been released.
The flaws, tracked as CVE-2026-21666 and CVE-2026-21667, were identified as critical and could enable remote code execution on affected systems ,if successfully exploited.
The vulnerabilities impact Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, prompting the company to release fixes in version 12.3.2.4465. The security update was published on March 12, 2026, under KB ID: 4830, and addresses a total of seven security issues affecting the backup platform.
In its advisory, the company emphasized the urgency of applying the update, noting that threat actors often analyze security patches to identify weaknesses in systems that have not yet been updated.
The official notice states, “It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”
The Veeam Security Patch Includes
Among the vulnerabilities fixed in the Veeam security patch, two of the most severe are CVE-2026-21666 and CVE-2026-21667. Both issues received a CVSS v3.1 score of 9.9, indicating critical severity.
CVE-2026-21666
The vulnerability CVE-2026-21666 allows an authenticated domain user to trigger remote code execution on a Veeam Backup Server. If exploited, an attacker with domain-level authentication could run arbitrary commands on the server hosting backup services.
- Severity: Critical
- CVSS v3.1 Score: 9.9
- Reported via: HackerOne
CVE-2026-21667
Another major flaw, CVE-2026-21667, similarly enables an authenticated domain user to achieve remote code execution on the Backup Server.
- Severity: Critical
- CVSS v3.1 Score: 9.9
- Source: Discovered during internal testing
Both vulnerabilities demonstrate how attackers with valid credentials could compromise backup infrastructure, potentially gaining control of systems responsible for storing critical data.
Additional Vulnerabilities Fixed in the Update
Beyond CVE-2026-21666 and CVE-2026-21667, the Veeam security patch resolves several other high-impact security issues affecting the Backup & Replication platform.
CVE-2026-21668
This vulnerability allows an authenticated domain user to bypass restrictions and manipulate arbitrary files stored within a Backup Repository.
- Severity: High
- CVSS v3.1 Score: 8.8
- Source: Discovered during internal testing
CVE-2026-21672
The flaw CVE-2026-21672 could allow attackers to escalate privileges locally on Windows-based Veeam Backup & Replication servers.
- Severity: High
- CVSS v3.1 Score: 8.8
- Reported through: HackerOne
CVE-2026-21708
Another critical vulnerability enables a user with the Backup Viewer role to perform remote code execution as the postgres user.
- Severity: Critical
- CVSS v3.1 Score: 9.9
- Source: Discovered during internal testing
These vulnerabilities highlight multiple ways attackers could potentially abuse authentication, permissions, or internal components to compromise backup infrastructure.
Other Security Improvements Included
Alongside fixes for remote code execution vulnerabilities such as CVE-2026-21666 and CVE-2026-21667, the update also introduces a configuration change for Veeam Agent for Linux. The software now opens firewall ports 2500–3300, aligning its port range with other Veeam products.
While not directly tied to a CVE identifier, the change aims to standardize network behavior across Veeam tools and improve operational consistency.
Additional Fixes Introduced in Newer Versions
The company also addressed more vulnerabilities in Backup & Replication 13.0.1.2067. In addition to CVE-2026-21672 and CVE-2026-21708, two additional critical issues were fixed:
- CVE-2026-21669 (CVSS score: 9.9): Allows an authenticated domain user to perform remote code execution on the Backup Server.
- CVE-2026-21671 (CVSS score: 9.1): Allows an authenticated user with the Backup Administrator role to execute code in high availability (HA) deployments of Veeam Backup & Replication.
These issues further demonstrate the potential impact of credentialed attacks against backup systems if vulnerabilities remain unpatched.
Backup systems are frequently targeted by attackers because they contain copies of critical organizational data. Exploiting flaws such as CVE-2026-21666 or CVE-2026-21667 could allow adversaries to run code directly on backup servers, potentially tampering with stored backups or gaining broader access to enterprise infrastructure.
Security experts often warn that once vendors publish patches, threat actors begin analyzing them to identify exploitable weaknesses in systems that have not yet been updated.
