CRITICAL🇵🇱 Wersja polska

CVE-2026-21669

CVSS 9.9v3.1pub. 2026-03-12upd. 2026-05-10

A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

🤖 AI Analysis
How it works

An attacker with a domain account with access to the environment can send a properly crafted request to the Veeam Backup & Replication server. The vulnerability classified as CWE-94 (improper control of code generation) and CWE-693 (protection mechanism failure) indicates the possibility of code injection and execution on the server side bypassing security mechanisms. The attack is possible over the network without additional interaction from the victim.

Impact

An attacker can gain full control over the backup server, which includes confidentiality, integrity and availability of stored data — including access to backups of the entire infrastructure and potential lateral movement in the environment.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with references published at https://www.veeam.com/kb4831

Who is affected

Veeam Backup & Replication — versions indicated in the manufacturer's references (https://www.veeam.com/kb4831)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Veeam Backup \& Replication

    APP
    Veeam
    13.0.0.496 – 13.0.1.2067 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-40711CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczne RCE przez deserialization w Veeam Backup & Replication

CVE-2022-26501CRITICAL9.8⚠ KEVten sam produkt

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

CVE-2026-21667CRITICAL9.9PL ✓ten sam produkt

RCE w Veeam Backup & Replication dla uwierzytelnionego użytkownika domenowego

CVE-2026-21666CRITICAL9.9PL ✓ten sam produkt

RCE dla uwierzytelnionego użytkownika domenowego w Veeam Backup & Replication

CVE-2026-21671CRITICAL9.1PL ✓ten sam produkt

RCE dla administratora kopii zapasowych w Veeam Backup & Replication (HA)