Veeam Backup vulnerabilities in versions 12 and 13 allow remote code execution in some cases, with a CVSS score of up to 9.9. Affected systems should be updated immediately.
Veeam Backup vulnerabilities in versions 12 and 13 in detail
Veeam has fixed several serious vulnerabilities in Backup & Replication that can be clearly broken down by the affected major versions 12 and 13. What makes this especially critical is that this is not just about classic remote code execution on the backup server, but also about a case involving the Backup Viewer role, manipulated files in repositories, exposed SSH credentials, and local privilege escalation on Windows-based systems. According to Veeam for version 12, Veeam for version 13, and the BSI warning, the issue is already considered critical; the current Veeam build overview has listed the fixed releases as the current builds since March 13, 2026.
The affected builds are version 12.3.2.4165 and older version 12 builds in the 12.x branch, and version 13.0.1.1071 and older version 13 builds in the 13.x branch. According to the vendor, the fixes are available starting with 12.3.2.4465 and 13.0.1.2067 respectively. One distinction is especially important for readers: some vulnerabilities require an authenticated domain user, others require an existing role-based account within the backup environment, and others require local access to Windows systems. That is what makes the overall situation so concerning, because these layered privilege profiles are often already present in real-world networks or can be reached quickly after an initial breach.
Veeam Backup vulnerabilities in version 12
In version 12, the focus is on several critical attack paths targeting the backup server itself, as well as one particularly problematic case involving repositories and a local privilege escalation issue on Windows-based servers.
- CVE-2026-21666 – CVSS 9.9
This vulnerability allows an authenticated domain user to achieve remote code execution on the backup server. What makes it so critical is that no local access is required, and an existing domain account may be enough to directly target the central backup node. Once the backup server is in scope, the risk no longer concerns just individual jobs, but potentially the entire backup and recovery logic. - CVE-2026-21667 – CVSS 9.9
This issue also enables remote code execution by an authenticated domain user on the backup server. From an operational perspective, it is just as serious as CVE-2026-21666: attackers do not need full administrative privileges, only a suitable authenticated account in the domain context. For defenders, that means traditional network boundaries alone are not enough to reduce the risk. - CVE-2026-21668 – CVSS 8.8
This vulnerability allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a backup repository. That is exactly what makes this bug so dangerous: it is not primarily about immediate code execution, but about the integrity of the backups. Anyone who can tamper with files in a repository is attacking the trust foundation of recovery itself. - CVE-2026-21672 – CVSS 8.8
This is a local privilege escalation vulnerability on Windows-based Veeam servers. At first glance, bugs like this may seem less dramatic than a network-based RCE, but in partially compromised environments they are extremely valuable. Anyone who already has a limited foothold on a system can use it to gain elevated privileges and prepare the next step toward full compromise. - CVE-2026-21708 – CVSS 9.9
This vulnerability allows a Backup Viewer to achieve remote code execution as thepostgresuser. That point stands out in particular: the entry point is not a classic administrator role, but a seemingly smaller one. That is the real core of the issue, because many organizations assign viewer roles for control, reporting, or audit purposes and may therefore underestimate their risk.
Veeam Backup vulnerabilities in version 13
The situation in version 13 is similarly critical, but somewhat broader. In addition to RCE on the backup server, it also includes theft of stored SSH credentials and a separate case affecting HA deployments of the Veeam Software Appliance.
- CVE-2026-21669 – CVSS 9.9
An authenticated domain user can achieve remote code execution on the backup server. This is the direct parallel to the most critical cases in version 12. What makes it especially severe is that the attack targets the central orchestration point of data protection, putting not only data but also recovery processes at risk. - CVE-2026-21670 – CVSS 7.7
This vulnerability allows a low-privileged user to extract stored SSH credentials. While the score is lower than the 9.x issues, the practical value for attackers remains high. Credentials are often the lever for lateral movement, repository access, or pivoting into other infrastructure segments in backup environments. - CVE-2026-21671 – CVSS 9.1
Here, an authenticated user with the Backup Administrator role can execute code in high-availability deployments of the Veeam Software Appliance. What makes this issue special is that it does not affect every installation equally, but specifically targets HA scenarios. Anyone using this operating model should therefore treat it not just as a generic patch, but as a potentially business-critical configuration issue. - CVE-2026-21672 – CVSS 8.8
As in version 12, this is a local privilege escalation issue on Windows-based Veeam servers. In chained attacks, a flaw like this is especially valuable because it can turn a limited presence on the system into a more privileged position very quickly. - CVE-2026-21708 – CVSS 9.9
Version 13 is also affected by a flaw that allows a Backup Viewer to trigger remote code execution as thepostgresuser. From a prioritization standpoint, this is one of the most important points. The vulnerability shows that not only classic admin roles need to be reassessed, but also roles that many environments routinely assign with far less scrutiny.
Criticality of these vulnerabilities
In version 12, the immediate RCE and repository risks dominate, while version 13 adds a stronger appliance and credential angle. For patch and change teams, this separation is useful because it allows them to derive immediate actions: prioritize Windows-based backup servers, review HA appliance deployments separately, reassess roles such as Backup Viewer and Backup Administrator, and rotate stored SSH credentials after the update wherever possible.
Anyone running Veeam Backup & Replication version 12 or 13 should not only patch, but also review role assignments, network access to the backup server, and protection of the repositories. That is where the difference is made between a critical security bulletin becoming just an administrative task or a genuine resilience incident.
