cbcvebase.
CVE-2026-21667
published 2026-03-12

CVE-2026-21667: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.3th percentile
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Affected

1 ranges
VendorProductVersion rangeFixed in
veeamveeam_backup_replication>= 12.0.0.1402 < 12.3.2.446512.3.2.4465

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-21667 affects Veeam Backup & Replication (VBR); detect exploitation attempts targeting the Backup Server service from authenticated low-privileged domain user accounts performing unexpected RCE-class actions
  • Prioritize detection on unpatched VBR deployments running versions prior to 12.3.2.4465 or 13.0.1.2067; threat actors are expected to reverse-engineer the patch rapidly to build exploits
  • Monitor VBR servers for lateral movement activity post-exploitation; ransomware groups (FIN7, Cuba, Frag, Akira, Fog) have historically leveraged VBR RCE bugs as a jumping-off point for network-wide compromise and backup deletion
  • ·CVE-2026-21667 requires an authenticated domain user — purely unauthenticated exploitation is not described; ensure detection logic accounts for the low-privilege authenticated attacker precondition
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.