cbcvebase.
CVE-2026-21669
published 2026-03-12

CVE-2026-21669: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.17%
63.6th percentile
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Affected

2 ranges
VendorProductVersion rangeFixed in
veeambackup_and_replication>= 13.0.1 < 13.0.113.0.1
veeamveeam_backup_replication>= 13.0.0.496 < 13.0.1.206713.0.1.2067

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-21669 affects Veeam Backup & Replication; monitor for RCE activity originating from authenticated domain user accounts targeting Backup Server processes — patched in versions 12.3.2.4465 and 13.0.1.2067
  • Threat actors are known to reverse-engineer Veeam patches shortly after disclosure to exploit unpatched deployments; prioritize detection of exploitation attempts on unpatched VBR instances immediately following patch release
  • VBR servers are high-value ransomware targets; alert on lateral movement, data exfiltration, or backup deletion activity originating from or targeting VBR infrastructure — associated threat groups include FIN7, Cuba, Frag, Akira, and Fog ransomware
  • ·No public exploit exists for CVE-2026-21669 at time of publication; EPSS exploitation probability is 0.3% (48.9th percentile), indicating moderate but not yet elevated real-world exploitation likelihood
  • ·Fixed versions are 12.3.2.4465 and 13.0.1.2067; detections should be scoped to instances running versions prior to these builds
  • ·CVE-2026-21669 is not listed in CISA KEV as of publication date, so mandatory remediation timelines for federal agencies do not yet apply
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.