Veeam Urgently Patches Critical 9.9 CVSS RCE Flaws in Backup Servers

Veeam has released a major security update for Veeam Backup & Replication to address a cluster of high-stakes vulnerabilities, including multiple Critical Remote Code Execution (RCE) flaws. These vulnerabilities affect version 13.0.1.1071 and all earlier builds of version 13.

The most severe issues, discovered largely through internal testing, could allow attackers to seize control of backup infrastructure—the very last line of defense for most organizations.

The update addresses three distinct paths to Remote Code Execution, two of which carry a near-maximum CVSS score of 9.9.

• CVE-2026-21669 (CVSS 9.9): This flaw allows any authenticated domain user to execute code remotely on the Windows-based Backup Server. In many environments, “domain user” is a broad category, making this a highly dangerous internal threat vector.
• CVE-2026-21708 (CVSS 9.9): Even more startlingly, this vulnerability allows a user with the lowly Backup Viewer role to perform RCE as the postgres user. This bypasses traditional role-based access controls designed to keep “view-only” accounts safe.
• CVE-2026-21671 (CVSS 9.1): Affecting the Veeam Software Appliance in High Availability (HA) deployments, this allows a Backup Administrator to achieve RCE.

Beyond the headline RCE bugs, the patch also shores up defenses against credential harvesting and local privilege gains:

• SSH Credential Leak (CVE-2026-21670): A high-severity flaw (CVSS 7.7) that enables a low-privileged user to extract saved SSH credentials. This could provide an attacker with the keys needed to move laterally across the network to other Linux-based systems.
• Local Privilege Escalation (CVE-2026-21672): Reported via HackerOne, this vulnerability allows an attacker who has already gained a foothold on a Windows-based Veeam server to elevate their privileges.

In addition to these fixes, Veeam has updated the Veeam Agent for Linux to align its firewall port range (now 2500-3300) with other products in the ecosystem.

The primary defense against these threats is a swift upgrade. All organizations running affected builds must update to Veeam Backup & Replication 13.0.1.2067 or later.

With backup servers increasingly targeted by ransomware groups to prevent data recovery, patching these entry points is no longer optional—it is a critical necessity for business continuity.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.