Executive Summary
CVE-2026-21708 is a critical remote code execution vulnerability in Veeam Backup & Replication that enables a user with the Backup Viewer role — the least privileged role in the Veeam role model — to execute arbitrary code as the postgres database user on the Backup Server.
CVSS Score: 9.9 (Critical)
This is the fifth critical CVE disclosed in the March 2026 Veeam security advisory batch, joining CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21671. Unlike its companion vulnerabilities, CVE-2026-21708 does not require a domain user or Backup Administrator account — the read-only Backup Viewer role is sufficient. This dramatically widens the attack surface, as Backup Viewer accounts are commonly provisioned for helpdesk staff, auditors, compliance reviewers, and monitoring integrations.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21708 |
| CVSS Score | 9.9 (Critical) |
| Type | Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | Low (Backup Viewer role in Veeam) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Execution Context | postgres OS user |
| Patch Available | Yes — apply Veeam March 2026 security patch |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Veeam Backup & Replication | All unpatched versions | Apply vendor security patch immediately |
Technical Analysis
The Backup Viewer Role
The Backup Viewer role in Veeam Backup & Replication is intended for read-only access. Users with this role can:
- View job status and restore points
- Browse backup catalogs
- Monitor infrastructure health
- View reports
Backup Viewers cannot create or modify jobs, perform restores, or manage credentials — or so the role model assumes. CVE-2026-21708 undermines this assumption entirely.
Root Cause
The vulnerability exists in a backend component accessible to authenticated Veeam users, including those with only Backup Viewer privileges. The flaw allows crafted requests to reach functionality that interacts directly with Veeam's embedded PostgreSQL database, triggering SQL-level code execution via PostgreSQL's procedural capabilities (such as COPY TO/FROM PROGRAM or user-defined functions with OS access).
The postgres user on Veeam Backup Server installations runs with elevated operating system privileges and has access to:
- The full Veeam configuration database (credentials, job configs, infrastructure topology)
- All stored secrets and encryption keys managed by Veeam
- The PostgreSQL data directory and WAL logs
- Host-level process execution via PostgreSQL extensions
Attack Scenarios
Scenario 1: Compromised Read-Only Monitoring Account
1. Attacker obtains Backup Viewer credentials via phishing or credential stuffing
2. Backup Viewer accounts are commonly reused / share weak passwords (monitoring only)
3. Attacker connects to Veeam console and exploits CVE-2026-21708
4. RCE achieved as postgres user on Backup Server
5. Full infrastructure compromise — credentials extracted, backups accessibleScenario 2: Malicious Helpdesk or Auditor Access
1. Insider or contractor with Backup Viewer (audit/helpdesk access) exploits CVE-2026-21708
2. Extracts all stored credentials from the PostgreSQL configuration database
3. Uses exfiltrated credentials to pivot to domain controllers, cloud environments, etc.
4. Destroys or encrypts backup repositories before deploying ransomwareScenario 3: Automated Monitoring Integration Compromise
1. Attacker compromises a monitoring system (Zabbix, PRTG, custom scripts) with Veeam Viewer API access
2. Uses the monitoring system's stored Veeam Viewer credentials
3. Exploits CVE-2026-21708 through the monitoring system's network path to Veeam
4. Achieves RCE without directly compromising Veeam admin accountsWhy postgres RCE Is Catastrophic
Execution as the postgres user in Veeam's embedded PostgreSQL has outsized impact:
- Full config DB access: Veeam stores all credentials, encryption keys, job definitions, and infrastructure maps in PostgreSQL. The postgres superuser has complete access.
- Credential decryption: With postgres-level DB access and OS access, stored credential encryption can be circumvented or keys extracted.
- Filesystem read/write: PostgreSQL's
COPYcommands and file access functions allow reading and writing arbitrary files as the postgres OS user. - OS-level persistence: New OS users, scheduled tasks, or startup scripts can be created via postgres → OS execution chains.
Impact Assessment
| Impact Area | Description |
|---|---|
| RCE on Backup Server | Code execution as postgres — full DB and significant OS access |
| Credential Database Exposure | All Veeam-stored credentials decryptable with postgres-level access |
| Backup Catalog Access | Full read access to all backup restore points and data |
| Infrastructure Topology Disclosure | Veeam's config DB maps the entire protected infrastructure |
| Ransomware Enablement | Backup destruction and encryption bypass before ransomware deployment |
| Lowest Privilege Required | Attack reachable via Backup Viewer — the least privileged Veeam role |
Immediate Remediation
Step 1: Apply the Veeam March 2026 Security Patch
This patch addresses all five March 2026 CVEs (21666, 21667, 21669, 21671, 21708).
# Verify current Veeam version before patching
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" |
Select-Object CoreVersion, ProductVersion
# After patching, confirm updated version
Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" |
Select-Object CoreVersionStep 2: Audit All Backup Viewer Role Assignments
# List all Veeam role assignments
Add-PSSnapin VeeamPSSnapIn
Get-VBRRole | Select-Object Name, Type | Format-Table
# Identify all Backup Viewer accounts — these are the primary attack surface for CVE-2026-21708
Get-VBRRole | Where-Object { $_.Type -eq "BackupViewer" } |
Select-Object -ExpandProperty Users |
ForEach-Object { Write-Host "Backup Viewer: $_" }Step 3: Restrict Backup Viewer Access Until Patched
# If immediate patching is not possible, consider:
# 1. Disabling or revoking Backup Viewer accounts temporarily
# 2. Restricting network access to Veeam console ports to admin workstations only
# 3. Requiring MFA for all Veeam console access
# Check Veeam service ports (default: 9392 for console)
Get-NetTCPConnection -LocalPort 9392 | Where-Object { $_.State -eq "Listen" }Step 4: Network Isolation
# Restrict Veeam console access to trusted management networks only
# Block port 9392 (Veeam console) from general user networks
# Veeam Backup Server should not be accessible from workstations
# Windows Firewall rule to restrict Veeam console access
New-NetFirewallRule -DisplayName "Block Veeam Console General Access" `
-Direction Inbound -LocalPort 9392 -Protocol TCP `
-RemoteAddress "192.168.0.0/24" -Action Block # Adjust source networkDetection Indicators
| Indicator | Description |
|---|---|
| PostgreSQL process spawning OS commands or shell processes | Direct exploitation indicator |
| Veeam service account or postgres user creating new OS accounts | Post-exploitation persistence |
| Backup Viewer accounts authenticating outside business hours | Credential abuse indicator |
| Unusual outbound connections from Veeam Backup Server | C2 or exfiltration |
PostgreSQL log entries with COPY ... FROM PROGRAM statements | SQL-level exploitation |
| Access to Veeam configuration database from non-Veeam processes | Credential extraction |
| New scheduled tasks or services created on Veeam Backup Server | Persistence mechanism |
Post-Remediation Checklist
- Patch Veeam Backup Server with March 2026 security update (addresses all 5 CVEs)
- Audit Backup Viewer accounts — identify all, remove unnecessary ones, verify necessity
- Rotate all Veeam-stored credentials — assume any secrets in the config DB may be compromised
- Review PostgreSQL logs — check for unusual queries, COPY commands, or function calls
- Verify backup integrity — ensure backup chains are intact and repositories have not been modified
- Restrict Veeam console network access — firewall to management networks only
- Enable audit logging for all Veeam role-based access operations
- Review monitoring integrations — ensure Backup Viewer API credentials are rotated and secured
- Engage IR if any Backup Viewer account has been accessed from unexpected IPs or times