cbcvebase.
CVE-2026-21708
published 2026-03-12

CVE-2026-21708: A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

PriorityP267critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
EPSS
1.09%
61.3th percentile
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Affected

3 ranges
VendorProductVersion rangeFixed in
veeambackup_and_replication>= 12 < 12.3.212.3.2
veeambackup_and_replication>= 13 < 13.0.113.0.1
veeamveeam_backup_replication>= 12.0.0.1402 < 12.3.2.4465.12.3.2.4465.

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-21708 affects Veeam Backup & Replication; exploit requires the attacker to hold the 'Backup Viewer' role — monitor for unexpected RCE activity originating from accounts with that role, executing as the postgres OS user
  • Alert on process execution where the parent process is a Veeam Backup & Replication service and the spawned process runs under the 'postgres' OS user account — this is the expected post-exploitation execution context for CVE-2026-21708
  • Prioritize patching to Veeam Backup & Replication versions 12.3.2.4465 or 13.0.1.2067; unpatched instances are high-value targets — threat actors are known to reverse-engineer Veeam patches rapidly to build exploits
  • VBR servers are historically targeted by ransomware groups (FIN7, Cuba, Frag, Akira, Fog, BlackBasta, REvil, Maze, Egregor, Conti) for lateral movement and backup deletion — treat any anomalous activity on VBR hosts as high priority
  • ·No public exploit exists for CVE-2026-21708 at time of publication; EPSS exploitation probability is 1.1% (78.1st percentile), indicating elevated but not yet confirmed in-the-wild exploitation
  • ·CVE-2026-21708 is not listed in CISA KEV as of the source publication date
  • ·Veeam explicitly warns that patch reverse-engineering by attackers is expected shortly after disclosure, compressing the window for safe remediation
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.