CVE-2026-21666: Authenticated Remote Code Execution in Veeam Backup & Replication
Vulnerability ID: CVE-2026-21666
CVSS Score: 9.9
Published: 2026-03-12
CVE-2026-21666 is a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication. By leveraging improper input validation, an authenticated domain user can inject arbitrary commands via newline characters, leading to execution with system-level privileges on the backup server infrastructure.
TL;DR
Authenticated domain users can achieve RCE on Veeam Backup & Replication servers via CRLF injection in service configuration parsing, fully compromising the backup infrastructure.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-93 / CWE-77
- Attack Vector: Network
- CVSS v3.1 Score: 9.9 (Critical)
- EPSS Score: 0.00301 (53.14%)
- Exploit Status: Weaponized Potential / PoC
- Privileges Required: Low (Domain User)
Affected Systems
- Veeam Backup & Replication
-
Veeam Backup & Replication: < 12.3.2.4465 (Fixed in:
12.3.2.4465)
Mitigation Strategies
- Apply vendor patches immediately to Veeam Backup Server and all connected nodes
- Implement Principle of Least Privilege for domain accounts
- Network segmentation for Backup Servers utilizing a dedicated management VLAN
Remediation Steps:
- Verify the current Veeam Backup & Replication version via the administrative console.
- Download the 12.3.2.4465 patch from the official Veeam customer portal.
- Apply the update to the central Backup Server.
- Initiate the component upgrade process to push updated binaries to all associated proxy and repository nodes.
- Review authentication access logs for unauthorized domain user authentications prior to patching.
References
- Veeam Security Advisory (KB4830)
- NVD Record
- CVE.org Record
- Tenable CVE Tracker
- The Hacker News Coverage
- CSO Online Report
Read the full report for CVE-2026-21666 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)