Veeam Releases Emergency Patch for Five Critical RCE Flaws
Veeam Software has released a security update for Veeam Backup & Replication, addressing five critical remote code execution (RCE) vulnerabilities that could allow attackers to fully compromise backup infrastructure. The vulnerabilities range in severity from CVSS 9.1 to CVSS 9.9 — all rated Critical — and affect all unpatched Veeam Backup & Replication installations.
The March 2026 advisory is one of the most significant Veeam security disclosures in recent memory, with flaws exploitable by attackers with access ranging from no Veeam account at all (in conjunction with domain credentials) down to the least-privileged Backup Viewer role.
Organizations relying on Veeam for backup and disaster recovery should treat this as an emergency patch and apply the update immediately.
The Five Vulnerabilities
| CVE | CVSS | Privileges Required | Impact |
|---|---|---|---|
| CVE-2026-21666 | 9.9 | Authenticated domain user | RCE on Backup Server |
| CVE-2026-21667 | 9.9 | Authenticated domain user | RCE on Backup Server |
| CVE-2026-21669 | 9.9 | Authenticated domain user | RCE on Backup Server |
| CVE-2026-21671 | 9.1 | Backup Administrator role | RCE on HA Backup Server |
| CVE-2026-21708 | 9.9 | Backup Viewer role (lowest) | RCE as postgres user |
CVE-2026-21666, CVE-2026-21667, CVE-2026-21669 — Domain User RCE (CVSS 9.9)
Three closely related vulnerabilities allow any authenticated domain user — without requiring any Veeam-specific role or account — to execute arbitrary code on the Veeam Backup Server. In enterprise environments where Veeam is integrated with Active Directory (the standard deployment), this means thousands of user accounts across the organization may be sufficient to exploit these flaws.
The domain-user exploitable nature of these three CVEs is particularly alarming because domain accounts are routinely compromised via phishing, password spraying, and credential theft. An attacker who obtains any domain user credential — even a standard employee account — can pivot directly to full Backup Server compromise.
CVE-2026-21671 — Backup Administrator RCE in HA Deployments (CVSS 9.1)
This flaw targets Veeam High Availability (HA) deployments, which are used by larger enterprises and MSPs for backup continuity. Users with the Backup Administrator role — commonly assigned to backup operators, NOC staff, and service accounts — can exploit a flaw in the HA coordination layer to achieve RCE on the primary Backup Server.
HA deployments carry additional risk because both primary and secondary nodes may be compromised, and MSP environments using shared Veeam HA infrastructure risk multi-tenant compromise from a single exploited administrator account.
CVE-2026-21708 — Backup Viewer RCE as postgres (CVSS 9.9)
The most noteworthy vulnerability in the batch, CVE-2026-21708 requires only the Backup Viewer role — the read-only, least-privileged role in Veeam's access model. Users with this role are typically:
- Helpdesk staff who can view job status
- Auditors reviewing backup compliance
- Monitoring integrations checking job health
- Junior IT staff with read-only access
Despite requiring only this minimal access, exploitation results in remote code execution as the postgres database user on the Backup Server. The postgres user has full access to Veeam's configuration database — including all stored credentials, infrastructure maps, and encryption keys.
Why Backup Infrastructure Is a Prime Ransomware Target
Veeam is estimated to protect 550,000+ organizations worldwide, including a significant portion of the Global 2000. Backup servers represent some of the most valuable targets in enterprise infrastructure for ransomware groups:
If attackers own the backup server, they own the recovery path.
Before deploying ransomware across a network, sophisticated threat actors — including Cl0p, LockBit, BlackBasta, and affiliated groups — routinely prioritize backup server compromise to:
- Destroy or encrypt backup data — eliminating the organization's ability to recover without paying
- Exfiltrate backup data — backup repositories contain copies of every protected workload, including sensitive databases, file servers, and email stores
- Harvest stored credentials — Veeam stores credentials for every system it backs up; these can be used to pivot to domain controllers, cloud environments, and more
- Maintain persistence — backup servers are trusted infrastructure; attacker-controlled code on a backup server is difficult to detect and remove
With three CVEs exploitable by any domain user, these Veeam vulnerabilities have an extremely high probability of being weaponized by ransomware operators in the near term.
Scope of Exposure
Veeam Backup & Replication is deployed in the vast majority of enterprise Windows environments globally. The domain-user exploitable CVEs (21666, 21667, 21669) and the Backup Viewer CVE (21708) require minimal attacker entry point — any compromised account in a Veeam-integrated Active Directory forest may be sufficient.
Remediation
Apply the Veeam March 2026 security patch immediately. All five CVEs are addressed in the same update.
Verify Your Version
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" |
Select-Object CoreVersion, ProductVersionPost-Patch Actions
- Rotate all credentials stored in Veeam — treat them as potentially compromised
- Audit role assignments — identify all Backup Viewer, Backup Operator, and Backup Administrator accounts; remove unnecessary assignments
- Review HA deployment — if using HA, patch both primary and secondary nodes
- Check for indicators of compromise — unusual processes on the Backup Server, unexpected outbound connections, new accounts
- Restrict Veeam console network access — firewall Veeam ports to management networks only (port 9392 by default)
- Enable 4-eyes authorization for critical Veeam operations (requires Enterprise Plus license)
- Verify Hardened Repository settings — ensure immutable backup storage configuration is intact
If Patching Is Delayed
If immediate patching is not possible:
# Temporarily block general network access to Veeam console port
New-NetFirewallRule -DisplayName "Temp: Restrict Veeam Console" `
-Direction Inbound -LocalPort 9392 -Protocol TCP `
-RemoteAddress "10.0.0.0/8" -Action Block # Adjust for your management subnet
# Audit who has Veeam access RIGHT NOW
Add-PSSnapin VeeamPSSnapIn
Get-VBRRole | ForEach-Object {
Write-Host "Role: $($_.Name) | Type: $($_.Type)"
$_.Users | ForEach-Object { Write-Host " User: $_" }
}Detection Guidance
Monitor for the following indicators that may indicate active exploitation:
| Indicator | Significance |
|---|---|
| Unexpected child processes spawned by Veeam services | Direct exploitation indicator |
| PostgreSQL executing OS-level commands | CVE-2026-21708 exploitation |
| New local admin accounts on Veeam Backup Server | Post-exploitation persistence |
| Unusual outbound connections from backup server | C2 or exfiltration activity |
| Backup job failures / configuration changes | Potential attacker interference |
| Domain accounts accessing Veeam at unusual hours | Credential abuse for domain-user CVEs |
| Veeam configuration database accessed by non-Veeam processes | Credential harvesting |
Sources
- BleepingComputer — Veeam warns of critical flaws exposing backup servers to RCE attacks
- CosmicBytez Labs — CVE-2026-21666 Security Advisory
- CosmicBytez Labs — CVE-2026-21667 Security Advisory
- CosmicBytez Labs — CVE-2026-21669 Security Advisory
- CosmicBytez Labs — CVE-2026-21671 Security Advisory
- CosmicBytez Labs — CVE-2026-21708 Security Advisory