Veeam says critical security flaws may be exposing backup servers to RCE attacks

News
By published

Veeam patches three critical-severity flaws

A representation of cloud backup and cloud storage overlayed on a person using a laptop.
(Image credit: Shutterstock)
  • Veeam patches five Backup & Replication flaws
  • Three critical RCE bugs (CVE-2026-21666, -21667, -21708) fixed
  • Company urges immediate upgrades to avoid exploitation

Veeam has said it recently patched five flaws in its Backup & Replication solution, including three critical-severity issues which could have allowed for remote code execution (RCE) attacks.

Veeam Backup & Replication is Veeam’s flagship product for protecting enterprise data. It provides backup, recovery, and replication for virtual, physical, and cloud workloads, and supports VMware vSphere, Microsoft Hyper-V, and major public clouds.

Here is the breakdown of the five bugs, as listed in a security advisory published on the company’s website:

Article continues below
  • CVE-2026-21666, and CVE-2026-21667 are both vulnerabilities allowing an authenticated domain user to perform remote code execution on the Backup Server. They were both given a severity score of 9.9/10 (critical)
  • CVE-2026-21708, a vulnerability allowing a Backup Viewer to perform remote code execution as the postgres user. This one was also given a 9.9/10 (critical) severity score.
  • CVE-2026-21668 is a bug that allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. Its severity score is 8.8/10 (high)
  • CVE-2026-21672, an 8.8/10 (high) vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

Urging customers to patch

The bugs affect Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, and were fixed starting with build 12.3.2.4465.

The company urged its customers to upgrade the software as soon as possible, since hackers are known for targeting freshly addressed flaws:

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company said.

"This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.