Data safety firm Veeam Software program has patched a number of flaws in its Backup & Replication answer, together with 4 essential distant code execution (RCE) vulnerabilities.
VBR is enterprise information backup and restoration software program that helps IT directors to create copies of essential information for fast restoration following cyberattacks and {hardware} failures.
Three RCE security flaws patched immediately (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) permit low-privileged area customers to execute distant code on weak backup servers in low-complexity assaults.
The fourth one (tracked as CVE-2026-21708) permits a Backup Viewer to achieve distant code execution because the postgres person.
Veeam additionally addressed a number of high-severity security bugs that may be exploited to escalate privileges on Home windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to control arbitrary recordsdata on a Backup Repository.
These vulnerabilities had been found throughout inside testing or reported by HackerOne and are resolved in Veeam Backup & Replication variations 12.3.2.4465 and 13.0.1.2067.
Veeam additionally warned admins to improve the software program to the newest launch as quickly as potential, since risk actors usually start creating exploits shortly after patches are launched.
“It is essential to notice that when a vulnerability and its related patch are disclosed, attackers will probably try and reverse-engineer the patch to use unpatched deployments of Veeam software program,” the corporate warned. “This actuality underscores the essential significance of guaranteeing that each one prospects use the newest variations of our software program and set up all updates and patches directly.”
VBR servers focused in ransomware assaults
VBR is common amongst managed service suppliers and mid-sized to giant enterprises, regardless that ransomware gangs generally goal VBR servers as a result of they’ll function a fast jumping-off level for lateral motion inside breached networks, simplify information theft, and make it straightforward to dam restoration efforts by deleting victims’ backups.
The financially motivated FIN7 risk group (which beforehand collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware teams) and the Cuba ransomware gang have each been linked to previous assaults focusing on VBR vulnerabilities.
Sophos X-Ops incident responders additionally revealed in November 2024 that Frag ransomware exploited one other VBR RCE bug disclosed two months earlier and in addition utilized in Akira and Fog ransomware assaults beginning in October 2024.
Veeam says its merchandise are utilized by greater than 550,000 prospects worldwide, together with 74% of World 2,000 corporations and 82% of Fortune 500 corporations.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
