Urgent: Veeam Backup & Replication Critical Vulnerabilities

We’d like to make you aware of multiple critical security vulnerabilities (CVSS 9.9) that have recently been identified in Veeam Backup & Replication v12. These vulnerabilities could allow an authenticated domain user to execute remote code on affected servers.

Summary of the Vulnerabilities:

• CVE-2026-21666 – A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server
• CVE-2026-21667 – A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
• CVE-2026-21668 – A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.
• CVE-2026-21672 – A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
• Full Veam article can be found here.

What’s Affected:

• Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1 | 12.3.2

Recommended Action:
We strongly encourage reviewing your environment to identify if you are running an affected version. If so, patching or mitigation steps should be applied as soon as possible to reduce exposure.