Veeam has put out security updates for its Backup & Replication software to fix a number of serious flaws that could allow remote code execution if they were used successfully This article explores following weaknesses cve. . The following are the weaknesses: CVE-2026-21666 (CVSS score: 9.9) - A flaw that lets an authenticated domain user run code on the Backup Server from a distance.
CVE-2026-21667 (CVSS score: 9.9) is a flaw that lets an authenticated domain user run code on the Backup Server from a distance. CVE-2026-21668 (CVSS score: 8.8) is a security hole that lets an authenticated domain user get around restrictions and change any files on a Backup Repository. CVE-2026-21672 (CVSS score: 8.8) is a flaw that lets people with local access to Windows-based Veeam Backup & Replication servers get more privileges.
CVE-2026-21708 (CVSS score: 9.9) is a flaw that lets a Backup Viewer run code remotely as the postgres user. Version 12.3.2.4465 fixes the problems that affect Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds. Version 13.0.1.2067 fixes CVE-2026-21672 and CVE-2026-21708, as well as two more serious security holes: CVE-2026-21669 (CVSS score: 9.9), which lets an authenticated domain user run code on the Backup Server from a distance.
CVE-2026-21671 (CVSS score: 9.1) is a flaw that lets an authenticated user with the Backup Administrator role run code from a distance in Veeam Backup & Replication deployments that are set up for high availability (HA).
The company said in its advisory, "It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely try to reverse-engineer the patch to exploit unpatched deployments of Veeam software." Threat actors have used flaws in Veeam software to carry out ransomware attacks in the past, so it's important for users to update their instances to the most recent version to protect themselves from any possible threats.
