VEEAM shipped new security fixes for Veeam Backup & Replication on 12 March 2026, publishing separate KBs for its supported major branches. The updates address a cluster of vulnerabilities that include multiple Remote Code Execution paths and a Windows local privilege escalation issue.
Across both branches, the fixes cover eight CVEs: CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708, with authenticated RCE on the Backup Server and RCE-as-postgres via the Backup Viewer being the highest-risk items.
Veeam’s advisories separate affected builds by major version: VBR 12.3.2.4165 or earlier are covered by 12.3.2.4465 (KB4830), and VBR 13.0.1.1071 or earlier are covered by 13.0.1.2067 (KB4831), so mixed environments require parallel remediation tracks; according to KB4830 and KB4831, the fixed builds are 12.3.2.4465 and 13.0.1.2067.
Defenders are urged to tighten access to VBR, review role assignments such as Backup Viewer, and monitor for anomalous activity, while patching remains the priority action and exploitation in the wild has not been reported for this specific patch set. Prior vulnerabilities have been exploited by ransomware actors, providing context that credential exposure and HA deployment-related RCEs warrant particular attention.