Home / Technology / Veeam Patches Critical RCE Flaws in Backup Software
Veeam Patches Critical RCE Flaws in Backup Software
13 Mar
Summary
- Three critical remote code execution flaws fixed in Veeam Backup & Replication.
- Vulnerabilities could allow attackers to execute code as high-privilege users.
- Customers urged to upgrade immediately to prevent exploitation of fixed bugs.
Veeam has addressed five security vulnerabilities impacting its widely-used Backup & Replication solution. Among these are three critical-severity flaws, each assigned a 9.9/10 score, which pose a significant risk of remote code execution (RCE) for affected systems.
Two of the critical vulnerabilities (CVE-2026-21666 and CVE-2026-21667) could enable an authenticated domain user to achieve RCE on the Backup Server. A third critical bug (CVE-2026-21708) allows a Backup Viewer to execute code as the 'postgres' user.
Additionally, two high-severity flaws (8.8/10) were patched: CVE-2026-21668, allowing manipulation of arbitrary files on a Backup Repository, and CVE-2026-21672, enabling privilege escalation on Windows servers.
These issues affect Veeam Backup & Replication 12.3.2.4165 and earlier versions. Veeam is urging customers to upgrade to build 12.3.2.4465 or later without delay. The company highlighted that cybercriminals frequently reverse-engineer patches to target unpatched systems, making prompt application of updates crucial for security.
