CVE-2026-21666
published 2026-03-12CVE-2026-21666: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.3th percentile
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | backup_and_replication | >= 12.3.2 < 12.3.2 | 12.3.2 |
| veeam | veeam_backup_replication | >= 12.0.0.1402 < 12.3.2.4465 | 12.3.2.4465 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target software: Veeam Backup & Replication (VBR) Backup Server — patch versions 12.3.2.4465 and 13.0.1.2067 fix CVE-2026-21666; unpatched instances below these versions are vulnerable to authenticated low-privileged domain user RCE ↗
- →Attack profile: low-complexity attack requiring only an authenticated low-privileged domain user account — no elevated privileges needed; monitor for unexpected process execution or lateral movement originating from VBR Backup Server processes ↗
- →Threat actor relevance: FIN7 (linked to Conti, REvil, Maze, Egregor, BlackBasta) and Cuba ransomware have historically exploited VBR vulnerabilities; Frag, Akira, and Fog ransomware have also exploited prior VBR RCE bugs — treat any exploitation of CVE-2026-21666 as a potential ransomware precursor ↗
- →Post-patch reverse-engineering risk: Veeam explicitly warns that attackers will attempt to reverse-engineer the patch immediately after disclosure — prioritize patching VBR to 12.3.2.4465 or 13.0.1.2067 and monitor for exploitation attempts against unpatched deployments ↗
- ·CVE-2026-21666 affects Veeam Backup & Replication (VBR); fixed versions are 12.3.2.4465 and 13.0.1.2067 — versions below these thresholds on the Backup Server component are vulnerable ↗
- ·Exploitation requires an authenticated domain user account (low privilege); unauthenticated exploitation is NOT indicated for this CVE — access controls limiting domain user access to the Backup Server reduce attack surface ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Veeam warns of critical flaws exposing backup servers to RCE attacks
blogs_bleepingcomputer·2026-03-12·CVSS 9.9
[CRITICAL] Veeam warns of critical flaws exposing backup servers to RCE attacks
## Veeam warns of critical flaws exposing backup servers to RCE attacks
## Sergiu Gatlan
Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.
VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.
Three RCE security flaws patched today (tracked as CVE-2026-21666 , CVE-2026-21667 , and CVE-2026-21669 ) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.
The fourth one (tracked as CVE-2026-21708 ) allows a Backup Viewer to gain remote code execution as the postgres user.
Veeam also
Wiz
CVE-2026-21666 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-21666 [CRITICAL] CVE-2026-21666 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21666 :
Veeam Backup & Replication vulnerability analysis and mitigation
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Source : NVD
## 8.8
Score
Published March 12, 2026
Severity HIGH
CNA Score 9.9
High-profile Vulnerability Yes
Affected Technologies
Veeam Backup & Replication
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 53.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:veeam:veeam_backup_\&_replication
cpe:2.3:a:veeam:backup_and_replication
Sources
Windows Severity HIGH Has Fix Added at: Mar 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
2026-03-12
Published