March 13 vulnerability digest brings eight Veeam Backup flaws with four CVSS 9.9 RCEs

Veeam patched eight vulnerabilities in Backup and Replication on March 12, 2026. Four carry a CVSS score of 9.9. Security databases published 124 new vulnerability identifiers on March 13, with 67 flagged as operationally relevant. The Veeam cluster dominates the day, with backup servers directly exposed to remote code execution by any authenticated domain user.

Three of the four CVSS 9.9 vulnerabilities allow authenticated domain users to execute arbitrary code on the Backup Server. CVE-2026-21666 and CVE-2026-21667 (both CVSS 9.9) affect version 12 deployments. CVE-2026-21669 (CVSS 9.9) targets version 13 environments. The fourth, CVE-2026-21708 (CVSS 9.9), lets a user with only the Backup Viewer role run code as the postgres database user.

CVE-2026-21671 (CVSS 9.1) enables remote code execution specifically in high-availability (HA) deployments when an attacker holds the Backup Administrator role. CVE-2026-21672 (CVSS 8.8) opens a local privilege escalation path on Windows-based Backup and Replication servers. Both affect the v12 and v13 branches.

Veeam released fixed builds for both branches on March 12. Version 12.3.2.4465 patches all v12 issues. Version 13.0.1.2067 addresses the v13 set. Organizations running mixed estates need to treat these as two parallel update tracks, since the vulnerability sets overlap but the affected build ranges differ.

It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software.

— the company warned in its advisory

No active exploitation has been reported. But backup infrastructure is a prime ransomware target because compromising it gives direct control over repositories, stored credentials, and hypervisor access. The deserialization vulnerability CVE-2024-40711 (CVSS 9.8), patched by Veeam in September 2024, was rapidly weaponized by Akira and Fog ransomware groups within weeks of disclosure.

Multiple RCE paths start from an authenticated domain user, which places emphasis on identity hygiene and lateral movement controls, not just perimeter exposure.

— SOCRadar wrote in its advisory analysis

Outside the Veeam cluster, Tolgee drew the day's other critical rating. CVE-2026-32251 (CVSS 9.3) is an XXE (XML External Entity) injection in the open-source localization platform. The XML parsers used for importing Android .xml and .resx translation files do not disable external entity processing, letting an authenticated user with import permissions read arbitrary server files and send requests to internal services. Tolgee fixed the issue in version 3.166.3.

TP-Link's TL-MR6400 v5.3 router picked up CVE-2026-3841 (CVSS 8.5), a command injection through the Telnet CLI. No patch is available from TP-Link at the time of publication. Users should disable Telnet access on the device.

Editorial assessment. The March 13 digest is dominated by Veeam, with four CVSS 9.9 flaws in a single backup product that let any authenticated domain user execute code on the server. The 2024 precedent with CVE-2024-40711 proved that Veeam patches get reverse-engineered and weaponized within days. Organizations should treat the March 12 update as an emergency deployment, patch both v12 and v13 branches simultaneously, and audit which accounts hold the Backup Administrator and Backup Viewer roles.