Veeam has rolled out essential security patches to mitigate severe vulnerabilities in its Backup & Replication software. These vulnerabilities, if left unaddressed, could enable unauthorized remote code execution, posing a significant threat to user security.
Critical Vulnerabilities Identified
The identified vulnerabilities include CVE-2026-21666 and CVE-2026-21667, both carrying a high CVSS score of 9.9. These flaws permit authenticated domain users to execute remote code on the Backup Server. Another notable vulnerability, CVE-2026-21668, with a CVSS score of 8.8, allows bypassing restrictions to manipulate files on a Backup Repository. Additionally, CVE-2026-21672 and CVE-2026-21708 also highlight serious security concerns, such as local privilege escalation and remote code execution as the postgres user, respectively.
Software Versions Affected
These vulnerabilities impact Veeam Backup & Replication version 12.3.2.4165 and all prior versions. The company has addressed these issues in version 12.3.2.4465. Furthermore, the latest version 13.0.1.2067 resolves CVE-2026-21672 and CVE-2026-21708, alongside two additional critical vulnerabilities, CVE-2026-21669 and CVE-2026-21671.
Importance of Timely Updates
Veeam emphasizes the urgency of applying these updates, as attackers commonly attempt to reverse-engineer patches post-disclosure to exploit unpatched systems. With a history of Veeam software being targeted in ransomware attacks, updating to the latest version is crucial for user protection against emerging threats.
By staying informed and promptly applying security updates, users can significantly reduce their risk and ensure the integrity of their backup systems against potential exploitation.
