On March 12, 2026, Veeam released fixes for multiple high and critical severity vulnerabilities in their Backup & Replication product that could allow remote code execution (RCE), privilege escalation, and credential theft.
| Vulnerability | CVSS | Description |
| CVE-2026-21669 | Critical (9.9) | Allows an authenticated threat actor with domain user access to perform RCE on the Backup Server. |
| CVE-2026-21670 | High (7.7) | Allows privileged threat actors to extract saved SSH credentials. |
| CVE-2026-21671 | Critical (9.1) | Allows an authenticated threat actor with the Backup Administrator role to perform RCE in high availability (HA) deployments. |
| CVE-2026-21672 | High (8.8) | Allows local privilege escalation on Windows-based Veeam Backup and Replication servers. |
| CVE-2026-21708 | Critical (9.9) | Allows a threat actor with the Backup Viewer role to perform RCE as a postgres user. |
Arctic Wolf has not identified publicly available proof-of-concept exploits for these vulnerabilities, nor have we observed any exploitation. Veeam Backup & Replication has historically been a frequent target for ransomware groups due to its critical role in backup and recovery. In ransomware cases involving Akira and Fog ransomware, for example, threat actors have been known to extract sensitive information from Veeam Backup & Replication deployments.
Recommendation
Upgrade to Latest Fixed Build
Arctic Wolf strongly recommends that customers upgrade to the latest fixed build.
| Product | Affected Version | Fixed Version |
| Veeam Backup & Replication | 13.0.1.1071 and all earlier version 13 builds | 13.0.1.2067 and later builds |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
