Veeam has resolved several security issues in its Backup & Replication platform. These include four critical vulnerabilities that could allow attackers to remotely execute code on backup servers.
Backup & Replication is widely used in enterprise environments to create and restore backups. IT teams use the software to store copies of critical data so that systems can be quickly restored following cyberattacks or hardware failures.
Three of the vulnerabilities allow domain users with limited privileges to remotely execute code on a vulnerable server, BleepingComputer reports. These security flaws are registered as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669. According to Veeam, these attacks require relatively little complexity, which may increase the risk of exploitation in environments with multiple domain users.
In addition, a fourth critical vulnerability has been resolved, registered as CVE-2026-21708. This vulnerability allows a user with the Backup Viewer role to execute code with the privileges of the postgres user.
In addition to the critical issues, Veeam has also addressed several high-severity security vulnerabilities. These could be exploited to gain elevated privileges on Windows servers running Backup & Replication. It was also possible to obtain stored SSH credentials and bypass restrictions that normally prevent arbitrary files from being modified in a backup repository.
The vulnerabilities were discovered during internal security testing or reported via the HackerOne bug bounty platform. They have been resolved in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067.
Veeam urges prompt updates
Veeam emphasizes the importance of installing updates promptly. As soon as details about a vulnerability and the corresponding patch are made public, attackers often attempt to analyze how the patch works. Based on this, they can target systems that have not yet been updated. According to the company, this underscores the importance of keeping software up to date and installing security updates immediately.
Backup servers have long been an attractive target for ransomware groups. Because these systems often have access to large amounts of data and play a central role in recovery processes, attackers can achieve multiple objectives with them. They can move more quickly through a network, steal data, and hinder recovery by deleting or manipulating backups.
In the past, several attacks have been linked to vulnerabilities in Veeam software. For example, the cybercrime group FIN7 was linked to attacks on Veeam environments. According to earlier reports, the Cuba ransomware group also exploited such vulnerabilities.
In addition, Sophos incident responders reported in 2024 that the Frag ransomware exploited a previous vulnerability in Veeam Backup & Replication. That same flaw was also used in attacks involving Akira and Fog ransomware.
Veeam reports that its solutions are used by more than 550,000 organizations worldwide. These include many large companies, including a significant portion of the Global 2000 and the Fortune 500. For organizations that rely on the software, it is therefore essential to apply updates and patches promptly.