CVE-2026-21667
published 2026-03-12CVE-2026-21667: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.3th percentile
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | veeam_backup_replication | >= 12.0.0.1402 < 12.3.2.4465 | 12.3.2.4465 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-21667 affects Veeam Backup & Replication (VBR); detect exploitation attempts targeting the Backup Server service from authenticated low-privileged domain user accounts performing unexpected RCE-class actions ↗
- →Prioritize detection on unpatched VBR deployments running versions prior to 12.3.2.4465 or 13.0.1.2067; threat actors are expected to reverse-engineer the patch rapidly to build exploits ↗
- →Monitor VBR servers for lateral movement activity post-exploitation; ransomware groups (FIN7, Cuba, Frag, Akira, Fog) have historically leveraged VBR RCE bugs as a jumping-off point for network-wide compromise and backup deletion ↗
- ·CVE-2026-21667 requires an authenticated domain user — purely unauthenticated exploitation is not described; ensure detection logic accounts for the low-privilege authenticated attacker precondition ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Veeam warns of critical flaws exposing backup servers to RCE attacks
blogs_bleepingcomputer·2026-03-12·CVSS 9.9
[CRITICAL] Veeam warns of critical flaws exposing backup servers to RCE attacks
## Veeam warns of critical flaws exposing backup servers to RCE attacks
## Sergiu Gatlan
Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.
VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.
Three RCE security flaws patched today (tracked as CVE-2026-21666 , CVE-2026-21667 , and CVE-2026-21669 ) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.
The fourth one (tracked as CVE-2026-21708 ) allows a Backup Viewer to gain remote code execution as the postgres user.
Veeam also
Wiz
CVE-2026-21667 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-21667 [CRITICAL] CVE-2026-21667 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21667 :
Veeam Backup & Replication vulnerability analysis and mitigation
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Source : NVD
## 8.8
Score
Published March 12, 2026
Severity HIGH
CNA Score 9.9
High-profile Vulnerability Yes
Affected Technologies
Veeam Backup & Replication
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 53.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:veeam:backup_and_replication
cpe:2.3:a:veeam:veeam_backup_\&_replication
Sources
Windows Severity HIGH Has Fix Added at: Mar 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
2026-03-12
Published