Veeam backup now has critical RCEs — patch urgently
Veeam Backup & Replication is affected by newly disclosed critical remote-code‑execution flaws that could let authenticated users compromise backup servers—admins were told to patch immediately reported. The advisory sits alongside a wider vendor-patch wave (SonicWall, Cisco, Fortinet, Microsoft, SAP), reinforcing the need for automated patch management in sensitive environments noted.
Veeam released) security updates on March 12, 2026 that collectively address seven vulnerabilities across Backup & Replication branches, including multiple issues scored at CVSS 9.9. thehackernews.com Affected builds include Veeam Backup & Replication 12.3.2.4165 and all earlier 12.x builds, with fixes shipped in 12.3.2.4465, and 13.0.1.1071 and earlier 13.x builds, with fixes shipped in 13.0.1.2067. veeam.com The public CVE set lists RCEs and other impacts: CVE-2026-21666, CVE-2026-21667 and CVE-2026-21669 are 9.9‑rated RCEs; CVE-2026-21708 allows a Backup Viewer to execute as the postgres user; CVE-2026-21671 permits RCE in HA for Backup Administrators; CVE-2026-21672 is a Windows local privilege escalation; CVE-2026-21668 and CVE-2026-21670 enable repository file manipulation and SSH credential extraction respectively. thehackernews.com Veeam notes CVE-2026-21666 was reported via HackerOne while several other issues were discovered during internal testing, and third‑party trackers and vendors report no public proof‑of‑concepts or confirmed exploitation as of March 13, 2026. veeam.com
