Executive Summary
CVE-2026-21667 is a second critical remote code execution vulnerability disclosed simultaneously with CVE-2026-21666 in Veeam Backup & Replication. Like its companion CVE, it allows any authenticated domain user to achieve code execution on the Backup Server — no Veeam-specific privileges required.
CVSS Score: 9.9 (Critical)
The concurrent disclosure of multiple domain-user-accessible RCE vulnerabilities in the same product indicates a systemic authorization enforcement failure within Veeam's service layer. Organizations must prioritize patching as these flaws collectively provide multiple pathways for any domain-authenticated attacker to fully compromise Veeam infrastructure.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21667 |
| CVSS Score | 9.9 (Critical) |
| Type | Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | Low (authenticated domain user) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — apply Veeam security patch immediately |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Veeam Backup & Replication | All unpatched versions | Apply vendor security patch |
Technical Analysis
Context: Multiple Simultaneous CVEs
CVE-2026-21667 was published on the same day as CVE-2026-21666 and CVE-2026-21669, all sharing the same description: an authenticated domain user can perform RCE on the Backup Server. The concurrent release of three CVSS 9.9 vulnerabilities in a single product strongly suggests:
- Multiple distinct code paths within Veeam's service layer all fail to enforce proper authorization
- The vulnerabilities were likely identified through a coordinated security audit or penetration test
- Patching a single attack vector does not remediate exposure — all three CVEs must be addressed together
Root Cause
CVE-2026-21667 represents a separate attack surface within Veeam's Backup Server — likely a different API endpoint, RPC method, or service component — that similarly fails to validate whether the authenticated caller holds the required Veeam role before processing privileged operations.
The effective privilege requirement of "domain user" (the lowest possible Active Directory credential tier) maximizes the attack surface across any enterprise with Active Directory integration.
Attack Flow
1. Attacker obtains any valid domain credential (phishing, credential stuffing, insider threat)
2. Attacker enumerates Veeam Backup Servers on the internal network
3. Attacker targets a different endpoint/service component than CVE-2026-21666
4. Crafted payload bypasses authorization and triggers RCE on the Backup Server
5. Attacker achieves code execution under VeeamBackupSvc or related service account
6. Full compromise of backup infrastructure — repositories, credentials, managed systemsRelationship to Other Veeam CVEs (March 2026)
| CVE | CVSS | Privilege Required | Attack Surface |
|---|---|---|---|
| CVE-2026-21666 | 9.9 | Domain User | Backup Server |
| CVE-2026-21667 | 9.9 | Domain User | Backup Server |
| CVE-2026-21669 | 9.9 | Domain User | Backup Server |
| CVE-2026-21671 | 9.1 | Backup Administrator | Backup Server (HA) |
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary code execution on the Backup Server |
| Credential Exposure | All credentials stored in Veeam configuration database exposed |
| Backup Tampering | Attackers can corrupt, delete, or encrypt backup data |
| Ransomware Staging | Elimination of backup recovery options before deploying ransomware |
| Lateral Movement | Hypervisor credentials enable pivot to every backed-up workload |
Immediate Remediation
Step 1: Apply Veeam Security Patch
Apply the Veeam security patch released to address the March 2026 CVEs. All four CVEs (21666, 21667, 21669, 21671) are addressed in the same patch release.
# Verify current version before patching
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" | Select-Object CoreVersion
# After patching, confirm version reflects the patch level
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" | Select-Object CoreVersionStep 2: Isolate Veeam Backup Server
# Create a Windows Firewall rule to restrict Veeam port access
# Only allow connections from Veeam admin consoles and proxies
$AdminHosts = @("10.0.0.10", "10.0.0.11") # Replace with your admin host IPs
New-NetFirewallRule -DisplayName "Allow Veeam Admin Hosts Only" `
-Direction Inbound -Protocol TCP `
-LocalPort 9392-9401 `
-RemoteAddress $AdminHosts `
-Action Allow `
-Profile Any
New-NetFirewallRule -DisplayName "Block Veeam Ports Default" `
-Direction Inbound -Protocol TCP `
-LocalPort 9392-9401 `
-Action Block `
-Profile AnyStep 3: Monitor for Active Exploitation
# Check for unexpected child processes of Veeam services
Get-WmiObject Win32_Process | Where-Object {
$_.ParentProcessId -in (Get-Process | Where-Object { $_.Name -like "Veeam*" }).Id
} | Select-Object Name, ProcessId, CommandLine
# Review Windows Event Log for suspicious logins to Veeam
Get-WinEvent -LogName "Application" -FilterHashtable @{ProviderName="Veeam Backup"} |
Where-Object { $_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning" } |
Select-Object -First 50 TimeCreated, MessageDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected child processes under VeeamBackupSvc.exe | Code execution via the exploit |
| Outbound TCP connections from Backup Server to external IPs | Potential C2 or data exfiltration |
| Veeam job configuration changes outside change windows | Tampering post-exploitation |
Access to VeeamBackup SQL database from non-Veeam processes | Credential harvest from config DB |
| Domain user accounts appearing in Veeam audit logs unexpectedly | Exploitation indicator |
Post-Remediation Checklist
- Patch — apply the Veeam March 2026 security patch across all Veeam Backup Servers
- Credential rotation — rotate all credentials stored in Veeam (hypervisor, cloud, AD)
- Log review — audit Veeam and Windows Event logs for exploitation evidence
- Repository hardening — enable immutability on backup repositories (Hardened Repository)
- Network segmentation — enforce firewall rules restricting Veeam port access
- 4-eyes authorization — enable for critical Veeam operations
- Incident response — engage IR if exploitation before patch application is suspected