Information safety firm Veeam Software program has patched a number of flaws in its Backup & Replication answer, together with 4 vital distant code execution (RCE) vulnerabilities.
VBR is enterprise information backup and restoration software program that helps IT directors to create copies of vital information for fast restoration following cyberattacks and {hardware} failures.
Three RCE safety flaws patched right now (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) enable low-privileged area customers to execute distant code on susceptible backup servers in low-complexity assaults.
The fourth one (tracked as CVE-2026-21708) permits a Backup Viewer to achieve distant code execution because the postgres person.
Veeam additionally addressed a number of high-severity safety bugs that may be exploited to escalate privileges on Home windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to control arbitrary information on a Backup Repository.
These vulnerabilities had been found throughout inner testing or reported via HackerOne and are resolved in Veeam Backup & Replication variations 12.3.2.4465 and 13.0.1.2067.
Veeam additionally warned admins to improve the software program to the most recent launch as quickly as potential, since menace actors typically start growing exploits shortly after patches are launched.
“It is necessary to notice that after a vulnerability and its related patch are disclosed, attackers will possible try and reverse-engineer the patch to use unpatched deployments of Veeam software program,” the corporate warned. “This actuality underscores the vital significance of making certain that each one clients use the most recent variations of our software program and set up all updates and patches at once.”
VBR servers focused in ransomware assaults
VBR is common amongst managed service suppliers and mid-sized to massive enterprises, though ransomware gangs generally goal VBR servers as a result of they will function a fast jumping-off level for lateral motion inside breached networks, simplify information theft, and make it simple to dam restoration efforts by deleting victims’ backups.
The financially motivated FIN7 menace group (which beforehand collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware teams) and the Cuba ransomware gang have each been linked to previous assaults focusing on VBR vulnerabilities.
Sophos X-Ops incident responders additionally revealed in November 2024 that Frag ransomware exploited one other VBR RCE bug disclosed two months earlier and in addition used in Akira and Fog ransomware assaults beginning in October 2024.
Veeam says its merchandise are utilized by greater than 550,000 clients worldwide, together with 74% of International 2,000 corporations and 82% of Fortune 500 firms.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
