Veeam has released a critical update for its Backup & Replication software, addressing severe vulnerabilities that could allow remote code execution (RCE) and privilege escalation. This update, issued on March 12, 2026, is crucial for administrators aiming to protect their backup systems from active threats.
Key Vulnerabilities Resolved
The latest patch, version 12.3.2.4465, addresses three critical vulnerabilities, each with a CVSS 3.1 score of 9.9. These flaws pose significant dangers to enterprise backup environments. CVE-2026-21666 and CVE-2026-21667 allow authenticated domain users to execute arbitrary code on the Veeam Backup Server, risking full system compromise. Additionally, CVE-2026-21708 lets attackers with Backup Viewer permissions perform RCE as the internal PostgreSQL user, gaining unauthorized database control.
Furthermore, two high-severity vulnerabilities have been patched, both scoring 8.8 on the CVSS scale. CVE-2026-21668 allows an authenticated user to manipulate arbitrary files on a Backup Repository, threatening backup integrity. CVE-2026-21672 is a local privilege escalation flaw affecting Windows-based servers, enabling attackers with limited access to elevate their system privileges.
Technical Enhancements Implemented
In addition to fixing these vulnerabilities, the patch enhances several core components to improve overall system security. It updates the Decode-uri-component to version 0.2.2, Newtonsoft.Json to 13.0.3, and Path-to-RegExp to 1.9.0. The release also resolves operational issues, such as updating the public GPG key for RHEL infrastructure servers with DISA STIG profile enabled.
Administrators are advised to temporarily disable the fapolicyd service during the update to ensure a smooth transition. Additionally, a deserialization error affecting PostgreSQL item restores from the Enterprise Manager has been corrected.
Update Recommendations and Procedures
Veeam strongly recommends administrators apply this security patch immediately. To verify the current version, users should access the Main Menu of the Veeam Backup & Replication Console and navigate to Help, then About. For those running version 12.3.2 (builds 12.3.2.3617 or 12.3.2.4165), a smaller dedicated patch file is available as an ISO or EXE. Deployments on older versions must use the complete installation ISO to upgrade to build 12.3.2.4465.
Administrators should ensure downloaded files are unblocked before running the installer to avoid operational errors. Sharing technical updates on these issues is vital to ensure critical updates reach those who need them most. For more cybersecurity news, follow us on Google News, LinkedIn, and X, or contact us to feature your stories.
