cbcvebase.
CVE-2026-21666
published 2026-03-12

CVE-2026-21666: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.3th percentile
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_replication>= 12.3.2 < 12.3.212.3.2
veeamveeam_backup_replication>= 12.0.0.1402 < 12.3.2.446512.3.2.4465

Detection & IOCsextracted from sources · hover to see the quote

  • Target software: Veeam Backup & Replication (VBR) Backup Server — patch versions 12.3.2.4465 and 13.0.1.2067 fix CVE-2026-21666; unpatched instances below these versions are vulnerable to authenticated low-privileged domain user RCE
  • Attack profile: low-complexity attack requiring only an authenticated low-privileged domain user account — no elevated privileges needed; monitor for unexpected process execution or lateral movement originating from VBR Backup Server processes
  • Threat actor relevance: FIN7 (linked to Conti, REvil, Maze, Egregor, BlackBasta) and Cuba ransomware have historically exploited VBR vulnerabilities; Frag, Akira, and Fog ransomware have also exploited prior VBR RCE bugs — treat any exploitation of CVE-2026-21666 as a potential ransomware precursor
  • Post-patch reverse-engineering risk: Veeam explicitly warns that attackers will attempt to reverse-engineer the patch immediately after disclosure — prioritize patching VBR to 12.3.2.4465 or 13.0.1.2067 and monitor for exploitation attempts against unpatched deployments
  • ·CVE-2026-21666 affects Veeam Backup & Replication (VBR); fixed versions are 12.3.2.4465 and 13.0.1.2067 — versions below these thresholds on the Backup Server component are vulnerable
  • ·Exploitation requires an authenticated domain user account (low privilege); unauthenticated exploitation is NOT indicated for this CVE — access controls limiting domain user access to the Backup Server reduce attack surface
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.