Backup vendor Veeam has released security updates to patch multiple vulnerabilities in its widely used Backup and Replication platform, including three critical flaws that could allow authenticated users to execute code on backup servers.
Detailed in the company’s advisory KB4830, the vulnerabilities affect Veeam Backup & Replication 12.3.2.4165 and earlier version 12 builds, with fixes now available in build 12.3.2.4465. The disclosure covers five security issues in total, including three remote code execution (RCE) bugs and two high-severity vulnerabilities enabling file manipulation or privilege escalation.
Each of the three critical flaws carries a CVSS score of 9.9 out of 10 and allows authenticated users to execute code on backup infrastructure components under certain conditions.
Backup systems have become increasingly valuable targets for attackers, particularly ransomware operators, because compromising them can undermine recovery capabilities and enable data destruction or exfiltration at scale.
Flaws allow privilege escalation and RCE
The most serious issues addressed in the advisory are the RCE bugs that an authenticated domain user can exploit to execute code on the Veeam Backup Server or associated components. In practice, this means an attacker who already has some level of access within the environment, such as through compromised credentials, could leverage the flaws to take control of backup infrastructure. The three bugs are tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21708.
The advisory also details two high-severity flaws. CVE-2026-21668 allows attackers with repository access to manipulate arbitrary files on backup infrastructure, potentially affecting stored backup data, and CVE-2026-21672, a local privilege escalation flaw, could enable attackers who already have limited access to elevate their privileges on the Veeam servers.
The advisory said that some vulnerabilities were reported through Veeam’s bug bounty program on HackerOne, while others were discovered during internal testing. While Veeam did not mention any in-the-wild exploitation, the Backup and Replication bugs have been repeatedly weaponized in the past.
Patches are available
Veeam warned that organizations should apply the patched build promptly, noting that vulnerability disclosures frequently trigger attempts by attackers to reverse-engineer patches and develop exploits for unpatched systems.
The issues were fixed in Veeam Backup & Replication 12.3.2.4465, and organizations running unsupported or older builds should assume they are vulnerable and upgrade immediately. The urgency around the latest bugs is amplified by the fact that Veeam Backup & Replication has repeatedly faced critical vulnerabilities in recent years, some of which have been actively exploited by attackers.
In 2024, security agencies warned that ransomware groups were exploiting CVE-2024-40711, a critical flaw in the platform that allowed remote code execution without authentication. Attackers used the vulnerability to compromise backup servers and delete recovery data as part of ransomware campaigns. The pattern continued in 2025, when Veeam patched CVE-2025-23120, another critical RCE bug that allowed any authenticated domain user to execute code on a backup server in domain-joined environments.
The steady stream of high-severity bugs, along with the history of real-world exploitation, makes timely patching critical for organizations running Veeam Backup & Replication. Organizations must treat backup systems as highly privileged infrastructure requiring strong access controls and isolation.
No Responses