Total Takeover: Veeam Patches Critical 9.9 CVSS RCE Flaws in Backup & Replication 12.3.2

Veeam has released a major update to address a cluster of high-stakes vulnerabilities in Veeam Backup & Replication 12.3.2, including several Critical Remote Code Execution (RCE) flaws with near-perfect CVSS scores of 9.9. These vulnerabilities affect version 12.3.2.4165 and all earlier version 12 builds.

The most alarming discoveries in this patch involve three separate paths to gaining full control over a backup environment.

• CVE-2026-21666 & CVE-2026-21667 (CVSS 9.9): Both of these critical flaws allow an authenticated domain user to perform remote code execution on the Backup Server. This means an attacker who has already gained a foothold within a company’s domain could potentially hijack the entire backup infrastructure.
• CVE-2026-21708 (CVSS 9.9): This vulnerability allows a user with the lowly Backup Viewer role to perform RCE as the postgres user. This highlights a dangerous elevation of privilege where a restricted account can suddenly command the database at the heart of the system.

Beyond the headline-grabbing RCE bugs, the update also shores up defenses against attackers who have already penetrated the local perimeter:

• CVE-2026-21668 (CVSS 8.8): This high-severity flaw allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.
• CVE-2026-21672 (CVSS 8.8): Reported through HackerOne, this vulnerability allows for local privilege escalation specifically on Windows-based Veeam Backup & Replication servers.

As part of this security alignment, Veeam also updated the Veeam Agent for Linux, adjusting the firewall port range to 2500-3300 to match other products in the ecosystem.

Veeam has confirmed that all of these vulnerabilities are resolved starting with Veeam Backup & Replication 12.3.2.4465.

Administrators are urged to deploy this patch immediately to secure their recovery points from unauthorized access or destruction.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.