We’d like to make you aware of multiple critical security vulnerabilities (CVSS 9.9) that have recently been identified in Veeam Backup & Replication v12. These vulnerabilities could allow an authenticated domain user to execute remote code on affected servers.
Summary of the Vulnerabilities:
- CVE-2026-21666 – A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server
- CVE-2026-21667 – A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
- CVE-2026-21668 – A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.
- CVE-2026-21672 – A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
- Full Veam article can be found here.
What’s Affected:
- Veeam Backup & Replication | 12 | 12.1 | 12.2 | 12.3 | 12.3.1 | 12.3.2
Recommended Action:
We strongly encourage reviewing your environment to identify if you are running an affected version. If so, patching or mitigation steps should be applied as soon as possible to reduce exposure.