Veeam fixed seven vulnerabilities in Backup and Replication on March 11, 2026. Four carry a CVSS score of 9.9 out of 10. The flaws allow authenticated domain users to execute arbitrary code on backup servers, a category of bug that ransomware operators have repeatedly weaponized against this product. Patches cover both the version 12 and version 13 branches of the enterprise backup platform, used by more than 550,000 customers worldwide.
Five CVEs affect version 12 builds through 12.3.2.4165. CVE-2026-21666 and CVE-2026-21667 (both CVSS 9.9) let a domain user run remote code on the Backup Server. CVE-2026-21708 (CVSS 9.9) gives a Backup Viewer the ability to execute code as the postgres database user.
Two high-severity flaws round out the version 12 set. CVE-2026-21668 (CVSS 8.8) enables arbitrary file manipulation on a Backup Repository, and CVE-2026-21672 (CVSS 8.8) allows local privilege escalation on Windows. Build 12.3.2.4465 resolves all five.
Version 13 users need build 13.0.1.2067. That release fixes CVE-2026-21672 and CVE-2026-21708 along with two critical flaws absent from the version 12 advisory. CVE-2026-21669 (CVSS 9.9) mirrors the domain-user RCE pattern. CVE-2026-21671 (CVSS 9.1) targets high-availability deployments and requires the Backup Administrator role.
A separate v13-only issue rounds out the disclosure. CVE-2026-21670 (CVSS 7.7) allows a low-privileged user to extract saved SSH credentials from the server.
All four CVSS 9.9 bugs share a common attack profile. Network-accessible, low complexity, low privileges required, no user interaction. In Active Directory environments where an attacker already has a foothold, domain user credentials are routinely available through credential theft or lateral movement.
Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software.
— Veeam, KB4830 security advisory, March 11, 2026
Two of the flaws reached Veeam through its HackerOne bug bounty program. The other five came from internal code audits. Specific vulnerability classes behind the CVEs remain undisclosed.
Backup servers have been a consistent ransomware target for years. In March 2023, Veeam patched CVE-2023-27532 (CVSS 7.5), a flaw the FIN7 threat group later exploited in Cuba ransomware campaigns against U.S. critical infrastructure. CVE-2024-40711 (CVSS 9.8, patched September 2024) proved more damaging, giving attackers unauthenticated remote code execution.
CISA tagged CVE-2024-40711 with its rarely used "ransomware" label in October 2024. Sophos X-Ops tracked at least five incidents where Akira, Fog, and Frag ransomware operators weaponized that single bug within weeks of disclosure. NHS England issued a standalone alert.
Backup systems are a consistent target for cybercriminals because they control recovery, data protection, and in many cases have broad access across infrastructure.
— Shane Barney, Chief Information Security Officer, Keeper Security
Rapid7's incident response data reinforced the pattern. More than 20% of the firm's cases in 2024 involved Veeam infrastructure being accessed or exploited after an initial compromise.
March 2026 marks the third major Veeam Backup and Replication patch cycle in 12 months. CVE-2025-23120 (CVSS 9.9, March 2025) hit domain-joined version 12 installations. CVE-2025-59470 (CVSS 9.0, January 2026) allowed RCE through Backup and Tape Operator roles. Four CVSS 9.9 flaws in a single advisory is the highest concentration of critical RCE bugs Veeam has disclosed at once.
No active exploitation of the new CVEs has been reported as of March 13, 2026. No CISA KEV entries have appeared for them. But past Veeam vulnerabilities were weaponized within weeks of disclosure, and the company's own advisory warns explicitly about patch reverse-engineering.
Organizations running any version 12 or version 13 build of Veeam Backup and Replication should update immediately. Until patching is complete, verify that Backup Server instances are not exposed to the internet and protect domain accounts with phishing-resistant MFA.
Monitor backup server logs until the update is applied. Look for unexpected child processes from Veeam services, newly created local accounts, and non-standard PostgreSQL connections. Veeam products serve 74% of Global 2,000 companies and 82% of the Fortune 500.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
