Keypoints
- Four critical RCE vulnerabilities in VBR were patched (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708).
- Low-privileged domain users and Backup Viewer accounts could achieve remote code execution on backup servers.
- Additional high-severity flaws allowed Windows privilege escalation, extraction of saved SSH credentials, and arbitrary file manipulation on repositories.
- Patches are available in Veeam Backup & Replication 12.3.2.4465 and 13.0.1.2067 and should be applied without delay.
- Ransomware gangs such as FIN7, Cuba, and Frag have targeted VBR to simplify data theft, lateral movement, and to block recovery.