heise PlusAbo
Anzeige

Veeam Backup & Replication: Updates close malware smuggling gaps

In Veeam Backup & Replication, the company is closing several critical security vulnerabilities with updates. They allow code smuggling.

listen Print view
A circular arrow pointing to a person clicking with a finger.

(Image: chanpipat / Shutterstock.com)

3 min. read
Security
By

In the backup software Veeam Backup & Replication, programmers have discovered several, some even critical, security vulnerabilities. Among other things, they allow attackers to inject and execute arbitrary code. Updates fix the weaknesses.

Veeam has published two security advisories. In the first advisory, the company lists the security holes that the update to Veeam Backup & Replication 12.3.2.4465 closes. However, Veeam does not provide details, only the effects. For example, two vulnerabilities allow authenticated domain users to execute malware from the network on the backup server (CVE-2026-21666, CVE-2026-21667, both CVSS 9.9, risk "critical"). Logged-in domain users can also bypass access restrictions and manipulate arbitrary files in backup repositories (CVE-2026-21668, CVSS 8.8, risk "high"). On Windows-based Backup & Replication servers, privilege escalation is also possible (CVE-2026-21672, CVSS 8.8, risk "high"). IT administrators with Veeam Backup & Replication 12, 12.1, 12.2, 12.3, 12.3.1, and 12.3.2 should update to the new version.

A second security advisory summarizes the vulnerabilities that version Veeam Backup & Replication 13.0.1.2067 fixes. Here too, logged-in domain users can execute malware from the network on the backup server (CVE-2026-21669, CVSS 9.9, risk "critical"). In Veeam Backup & Replication high availability (HA) environments, users with the backup admin role can execute arbitrary code (CVE-2026-21671, CVSS 9.1, risk "critical"). The privilege escalation vulnerability CVE-2026-21672 also affects the 13 development branch. Furthermore, users with low privileges can read stored SSH credentials (CVE-2026-21670, CVSS 7.7, risk "high").

Veeam: Vulnerabilities in all versions

In the 12 and 13 versions of Veeam, there are also common security vulnerabilities. Users active in the backup viewer role can also execute code from the network as the user "postgres" (CVE-2026-21708, CVSS 9.9, risk "critical"). The version also adjusts the port range of the Veeam Agent for Linux to that of other Veeam products, now between 2500 and 3000. Veeam states that the vulnerabilities were found in internal tests and through submissions via the HackerOne bug bounty platform. The manufacturer does not report any public exploitation.

Videos by heise

IT administrators should promptly update their Veeam systems. Otherwise, the critical security vulnerabilities offer attackers an attack surface. Most recently, Veeam corrected several vulnerabilities in its backup software in January.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten