VEEAM has issued security updates addressing seven critical vulnerabilities in its Backup & Replication software that could allow remote code execution.
The flaws include CVE-2026-21666 and CVE-2026-21667, both enabling an authenticated domain user to run code remotely on the Backup Server, CVE-2026-21668 which allows an authenticated domain user to bypass restrictions and manipulate files on a Backup Repository, CVE-2026-21672 which permits local privilege escalation on Windows-based servers, and CVE-2026-21708 which lets a Backup Viewer execute code as the postgres user.
The vulnerabilities affect Veeam Backup & Replication 12.3.2.4165 and all earlier 12 builds, with fixes in version 12.3.2.4465; CVE-2026-21672 and CVE-2026-21708 are also fixed in Backup & Replication 13.0.1.2067, alongside two additional critical flaws, CVE-2026-21669 and CVE-2026-21671. The advisory notes that attackers may reverse-engineer patches to exploit unpatched deployments once disclosures are made, underscoring the importance of updating to the latest version to mitigate risk.