Patch Now! 7 New Critical Vulnerabilities in Veeam Backup & Replication

On March 12th, 2026, Veeam published two security advisories containing 7 critical and one high-severity vulnerability in its Backup & Replication server. The flaws cumulatively affect the version 12 and 13 builds. Although there are no reports of active exploitation or public proof-of-concept (PoC) exploits available yet, Veeam has appeared on CISA’s Known Exploited Vulnerabilities (KEV) list four times since late 2022, each instance associated with ransomware attacks [1][2][3]. Veeam and other enterprise backup systems are typically high-value targets for ransomware operators due to their role in securing critical data. Several national CERT alerts have been issued globally for the new CVEs [4][5][6][7][8][9][10].

Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks for all CVEs referenced in the new advisories [11][12] and provides consistent detection for vulnerabilities affecting Veeam Backup & Replication [13][14][15][16]. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

8 New CVEs Impacting Veeam Backup & Replication

All the newly disclosed vulnerabilities require user authentication to exploit. However, attackers with stolen credentials [TA0006] or malicious insiders could exploit these flaws. According to IBM’s 2025 Threat Intelligence Index, nearly half of all cyber attacks resulted in stolen data or credentials, and identity abuse was tied with exploitation of public facing applications for the most common entry point. IBM’s report also revealed an 84% increase in emails delivering infostealers in 2024.

Each new flaw affects version 12 and/or version 13 builds of Veeam Backup & Replication server. One from the group, (CVE-2026-21672) only affects Windows-based instances. The rest affect both WIndows and Linux builds. The 8 new vulnerabilities were disclosed by the vendor in two separate advisories [17][18]. However, technical details have not been published for any of the alerted CVEs.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks covering all new CVEs [8][9]. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

The CVEs are described below, along with the impact and affected products:

CVE ID	CVSS	Impact	Affected Products
CVE-2026-21708	9.9	A user with Backup Viewer permissions can perform remote code execution (RCE) as the postgres user	≤ v12.3.2.4165 of v12 builds ≤ v13.0.1.1071 of v13 builds
CVE-2026-21666	9.9	An authenticated domain user can perform RCE on the Backup Server	≤ v12.3.2.4165 of v12 builds
CVE-2026-21667	9.9	An authenticated domain user can perform RCE on the Backup Server	≤ v12.3.2.4165 of v12 builds
CVE-2026-21669	9.9	An authenticated domain user can perform RCE on the Backup Server	≤ v13.0.1.1071 of v13 builds
CVE-2026-21668	8.8	An authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository	≤ v12.3.2.4165 of v12 builds
CVE-2026-21672	8.8	Allows local privilege escalation on Windows-based Veeam Backup & Replication servers.	≤ v12.3.2.4165 of v12 builds for Windows ≤ v13.0.1.1071 of v13 builds for Windows
CVE-2026-21671	9.1	An authenticated user with the Backup Administrator role can perform RCE in high availability (HA) deployments of Veeam Backup & Replication	v13.0.1.1071 and earlier v13 builds of Veeam Backup & Replication servers
CVE-2026-21670	7.7	Allows a low-privileged user to extract saved SSH credentials	v13.0.1.1071 and earlier v13 builds of Veeam Backup & Replication servers

Mitigation of New Veeam Backup & Replication CVEs

No workarounds have been published for any of the aforementioned vulnerabilities. Organizations running affected Veeam Backup & Replication servers should apply the vendor’s fixed builds as soon as possible:

• Version 12 users should upgrade to 3.2.4465 or later
• Version 13 users should upgrade to 0.1.2067 or later

All earlier version 12 or 13 builds should be treated as vulnerable. Defenders should also evaluate their credential security to strengthen their protection against software flaws that require authentication to exploit. Stolen credentials, overprivileged accounts, and exposed administrative access increase the risk of compromise.

Summary

Veeam has disclosed eight new vulnerabilities in its Backup & Replication product, including seven critical flaws affecting version 12 and 13 builds. Although no active exploitation has been reported, backup platforms remain frequent ransomware targets. Because no workarounds are available, affected organizations should patch immediately to version 12.3.2.4465 or 13.0.1.2067 and take steps to strengthen credential security.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks for all CVEs in the new advisories [8][9] and provides consistent detection for vulnerabilities affecting Veeam Backup & Replication [13][14][15][16]. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.