Veeam Backup & Replication: CVE-2026-21666 and Related RCE Fixes

Veeam shipped new security fixes for Veeam Backup & Replication (VBR) on March 12, 2026, publishing separate KBs for its supported major branches.

The updates address a cluster of vulnerabilities that include multiple Remote Code Execution (RCE) paths and a Windows local privilege escalation issue.

This post breaks down what was patched, which builds are affected, whether exploitation is happening, and what defenders should do next.

What Are the Latest Veeam Patches?

Veeam released two security KBs covering the same patch event but different major branches:

• VBR v12 fixes: build 12.3.2.4465 (KB4830)
• VBR v13 fixes: build 13.0.1.2067 (KB4831)

Across both branches, the fixes cover eight CVEs: CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708.

The highest-risk items center on authenticated RCE on the Backup Server and an additional RCE-as-postgres scenario tied to the Backup Viewer role.

Which Veeam Backup & Replication Versions Are Affected?

Veeam scoped the affected builds clearly per major version line.

• If you run VBR 12.3.2.4165 or any earlier v12 build, you are in scope for the v12 advisory. Veeam lists 12.3.2.4465 as the fixed build.
• If you run VBR 13.0.1.1071 or any earlier v13 build, you are in scope for the v13 advisory. Veeam lists 13.0.1.2067 as the fixed build.

If you manage mixed estates, treat this as two parallel remediation tracks. The CVE set overlaps, but the affected build ranges and fixed builds differ by major branch.

What Can Attackers Do With These CVEs?

Veeam’s descriptions point to three impact themes that matter operationally: RCE, credential exposure, and privilege escalation.

Veeam describes the following outcomes in the v12 KB:

• CVE-2026-21666 (CVSS 9.9): authenticated domain user can achieve RCE on the Backup Server
• CVE-2026-21667 (CVSS 9.9): authenticated domain user can achieve RCE on the Backup Server 

• CVE-2026-21708 (CVSS 9.9): a Backup Viewer can get RCE as postgres 

• CVE-2026-21668 (CVSS 8.8): authenticated domain user can manipulate arbitrary files on a Backup Repository
• CVE-2026-21672 (CVSS 8.8):local privilege escalation on Windows-based VBR servers

The standout operational concern is that multiple paths start from an authenticated domain user, which places emphasis on identity hygiene and lateral movement controls, not just perimeter exposure.

Details of CVE-2026-21666 (SOCRadar’s Vulnerability Intelligence)

In parallel, Veeam’s v13 KB lists:

• CVE-2026-21669 (CVSS 9.9): authenticated domain user can achieve RCE on the Backup Server 

• CVE-2026-21708 (CVSS 9.9): a Backup Viewer can get RCE as postgres 

• CVE-2026-21671 (CVSS 9.1):Backup Administrator role can achieve RCE in HA deployments
• CVE-2026-21672 (CVSS 8.8):local privilege escalation on Windows-based VBR servers
• CVE-2026-21670 (CVSS 7.7): low-privileged user can extract saved SSH credentials

Two points change the prioritization conversation for many teams: the credential extraction angle (SSH) and the explicit callout that certain RCE paths relate to HA deployments.

Is There Evidence of Active Exploitation in the Wild?

For this specific patch set released on March 12, 2026, Veeam’s advisories do not report active exploitation.

That said, defenders should not treat “not reported” as “low risk.” VBR is a high-value target because compromise can translate into direct control over backups, backup repositories, and the credential material often used to reach hypervisors and storage.

Prior VBR vulnerabilities have been exploited by ransomware actors, including CVE-2024-40711, which is relevant context for how quickly attackers may move once patch details are available.

SOCRadar’s ASM, Company Vulnerabilities

As backup infrastructure becomes a higher-value target, security teams need more than patch alerts. SOCRadar’s Cyber Threat Intelligence helps track newly disclosed flaws, monitor exploitation signals, and prioritize risks based on real-world threat activity. Combined with Attack Surface Management (ASM), teams can also identify exposed backup-related assets and reduce the chance that a missed system turns into a ransomware entry point.

For issues affecting platforms like Veeam Backup & Replication, this gives defenders clearer visibility into what matters, what is exposed, and what needs attention first.

What Should Defenders Do Now to Reduce Risk?

Start with vendor remediation, then reduce the blast radius in case an attacker already has credentials or workstation footholds.

Apply the vendor fixes (priority action) 

• VBR v12: upgrade to 12.3.2.4465
• VBR v13: upgrade to 13.0.1.2067 (and use the release/ISO artifact guidance referenced in KB4738)

Tighten access to VBR like a tier-0 system

• Restrict interactive logons and administrative access to VBR servers to a minimal admin set.
• Limit management plane reachability to admin networks only, and block general workstation access where possible.
• Review VBR role assignments, especially lower-privileged roles such as Backup Viewer, given the explicit RCE-as-postgres impact described for CVE-2026-21708.

Monitor for abuse patterns that match the impact 

• Look for anomalous console/API usage patterns that suggest role misuse.
• Watch for signs of local privilege escalation attempts on Windows-based VBR servers, since CVE-2026-21672 is shared across both v12 and v13 advisories.