Veeam Fixes Security Holes on Backup Server Backup & Replication software has received an important security update that fixes serious flaws that could let hackers run code from a distance and gain more power. The latest security patch (Build 12.3.2.4465), which came out on March 12, 2026, is an important update for administrators who need to protect their backup systems from current threats. It's very important for modern infrastructure security to always apply fixes for Veeam backup software.
Fixed Important Security Holes The update fixes three critical-severity vulnerabilities, each with a CVSS 3.1 score of 9.9, which is almost the highest possible score. These problems pose serious threats to business backup systems: CVE-2026-21666 (Critical 9.9): This security hole lets an authenticated domain user run any remote code directly on the Veeam Backup Server.
CVE-2026-21667 (Critical 9.9): Like the previous flaw, this one lets an authenticated domain user start remote code execution (RCE) on the Backup Server, which could let them take over the whole system. CVE-2026-21708 (Very Important 9.9): This serious flaw lets an attacker with Backup Viewer permissions run RCE as the internal PostgreSQL user, giving them unauthorized control over backend database processes. Veeam fixed two high-severity vulnerabilities in addition to the critical RCE bugs.
Both of these vulnerabilities scored 8.8 on the CVSS scale: CVE-2026-21668 (High 8.8): This restriction bypass vulnerability lets an authenticated domain user change any files on a Backup Repository, which could damage the integrity of the backup.
CVE-2026-21672 (High 8.8): A flaw in Windows-based Veeam Backup & Replication servers that lets an attacker with limited local access raise their system privileges. Fixes and improvements to technology In addition to fixing the CVEs listed above, build 12.3.2.4465 improves several key parts of the system to make it more secure overall. The patch brings Decode-uri-component up to version 0.2.2, Newtonsoft.Json up to version 13.0.3, and Path-to-RegExp up to version 1.9.0.
The release also fixes a number of problems with how things work. When you update RHEL infrastructure servers with the DISA STIG profile turned on, the public GPG key that is used to check Veeam packages will now be updated correctly. Veeam suggests turning off the fapolicyd service for a short time during this update to make sure everything goes smoothly.
Also, the update fixes a deserialization bug that used to make PostgreSQL item restores fail when they were started from Enterprise Manager. Veeam strongly suggests that administrators install the security patch right away. To check what version you have now, open the Veeam Backup & Replication Console's Main Menu and go to Help > About.
If your organization is currently using version 12.3.2 (builds 12.3.2.3617 or 12.3.2.4165), you can download and install a smaller patch file that is available as an ISO or an EXE. If you have an older version of the software, like 12.3.1 or earlier, you need to use the full installation ISO to upgrade to the safe 12.3.2.4465 build. To avoid errors, always unblock the files you downloaded before running the installer.
Sharing professional technical news about these issues helps make sure that the people who need these important updates the most get them. Follow LinkedIn and X for daily cybersecurity updates. Get in touch with us to have your stories featured.
