Critical Veeam Flaws Expose Backup Servers to RCE Attacks
▼ Summary
– Veeam Software has patched four critical remote code execution (RCE) vulnerabilities in its Backup & Replication (VBR) solution.
– These flaws allow low-privileged users, like domain users or Backup Viewers, to execute code on vulnerable servers.
– Veeam also fixed high-severity bugs enabling privilege escalation, credential extraction, and file manipulation on Windows servers.
– The company urgently advises all customers to install the latest updates, as attackers quickly reverse-engineer patches to exploit unpatched systems.
– VBR servers are a common target for ransomware gangs due to their critical role in data backup and recovery for many large enterprises.
Veeam Software has issued urgent security patches for its widely used Backup & Replication platform, addressing multiple critical vulnerabilities that could allow attackers to execute malicious code on enterprise backup servers. These flaws, if left unpatched, present a severe risk as they enable unauthorized remote code execution, potentially giving threat actors a foothold within critical data protection infrastructure.
The company resolved four critical remote code execution (RCE) vulnerabilities. Three of these, identified as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669, can be exploited by low-privileged domain users to run arbitrary code on affected servers through relatively straightforward attacks. A fourth flaw, tracked as CVE-2026-21708, permits a user with Backup Viewer permissions to achieve remote code execution with the privileges of the ‘postgres’ system account. Alongside these critical issues, Veeam also fixed several high-severity bugs. These could allow attackers to escalate privileges on Windows servers, retrieve stored SSH credentials, or bypass security controls to tamper with files on backup repositories.
These security weaknesses were uncovered through Veeam’s own internal testing and via reports submitted through the HackerOne bug bounty platform. The necessary fixes are included in the latest software releases, specifically versions 12.3.2.4465 and 13.0.1.2067. The company is strongly urging all administrators to apply these updates immediately. Threat actors frequently analyze security patches to develop exploits for systems that remain unpatched, making prompt deployment essential for defense.
Veeam Backup & Replication is a cornerstone of data recovery strategies for many organizations, including managed service providers and mid-to-large enterprises. Its very importance makes it a prized target for cybercriminals. Compromising a backup server can provide attackers with a powerful launchpad for moving laterally across a network, stealing data efficiently, and sabotaging recovery efforts by destroying backup copies. This tactic is commonly employed by ransomware groups to increase pressure on victims.
Notorious cybercrime syndicates have a history of targeting VBR servers. The financially motivated FIN7 group, known for its collaborations with various ransomware operations like Conti and BlackBasta, has previously exploited such vulnerabilities. Similarly, the Cuba ransomware gang has been linked to attacks leveraging VBR flaws. In a recent example from late 2024, Sophos X-Ops investigators reported that Frag ransomware exploited an earlier VBR RCE bug, a vulnerability also weaponized by Akira and Fog ransomware campaigns.
Given that Veeam’s solutions are deployed by over 550,000 customers globally, including a significant majority of the world’s largest corporations, the widespread impact of these vulnerabilities is considerable. Ensuring these critical patches are applied without delay is not just a recommendation but a fundamental requirement for maintaining organizational security posture and resilience against evolving cyber threats.
(Source: Bleeping Computer)
