Veeam Backup RCE vulnerabilities are once again forcing enterprise administrators into emergency patch cycles, with Veeam releasing fixes for three critical-severity and two high-severity flaws in its Backup and Replication software. The flaws affect Veeam Backup and Replication, a widely deployed data protection platform used by mid-sized and large enterprises and managed service providers worldwide. Patches were released in two waves — version 13.0.1.1071 on January 6, 2026, and a subsequent version 13.0.1.2067 addressing additional critical issues. No public evidence of active exploitation existed at the time of disclosure, but given the platform’s history as a prime ransomware target, the window between disclosure and weaponisation tends to be short.
What the Veeam Backup RCE Vulnerabilities Actually Allow
The most severe of the newly disclosed flaws carry CVSS scores of 9.9, placing them at the top end of the critical severity scale. CVE-2026-21669 allows an authenticated domain user to execute remote code on a Windows Backup Server, while CVE-2026-21708 gives a Backup Viewer role the ability to run code as the postgres database user on both Windows and appliance deployments. CVE-2026-21671, rated CVSS 9.1, targets high-availability deployments specifically — a Backup Administrator in an HA configuration on the Veeam Software Appliance can exploit it for RCE. All three are addressed in version 13.0.1.2067.
The earlier patch wave in January 2026 addressed CVE-2025-59470, initially scored at CVSS 9.0 before being downgraded to High after Veeam confirmed that exploitation requires the Backup or Tape Operator role. According to Veeam’s own advisory, the flaw allows an operator to perform remote code execution as the postgres user by sending a malicious interval or order parameter. Two additional vulnerabilities — CVE-2025-55125 and CVE-2025-59469, both rated CVSS 7.2 — enable arbitrary file writes and RCE as root via a malicious backup configuration file. CVE-2025-59468, rated CVSS 6.7, permits RCE as postgres through a malicious password parameter.
Why Backup Servers Are the Highest-Value Ransomware Target
Veeam Backup and Replication has been exploited repeatedly by ransomware operators precisely because backup infrastructure is the last line of defence. Compromise a backup server and you do not just steal data — you eliminate the victim’s ability to recover without paying. The Frag ransomware group exploited CVE-2024-40711 in November 2024, and Akira and Fog ransomware operators targeted a separate Veeam flaw in October 2024. Before those campaigns, groups linked to Cuba, FIN7, and affiliates of Conti, REvil, Maze, Egregor, and BlackBasta all used Veeam vulnerabilities as entry points or pivot opportunities. This is not a platform that attracts opportunistic attackers — it attracts sophisticated, financially motivated threat actors who understand exactly what they are destroying when they hit a backup server.
Unlike general-purpose backup platforms with smaller enterprise footprints, Veeam’s dominance among mid-market and large enterprise customers makes it a concentrated, high-reward target. A single successful exploit in a large MSP environment could cascade across dozens of client organisations simultaneously. That asymmetry between attacker effort and potential damage is precisely why these vulnerabilities demand immediate attention rather than the usual patch-cycle treatment.
How to Prioritise Patching These Veeam Flaws
Veeam itself has been clear about the severity of the roles involved. The company stated in its advisory that the Backup and Tape Operator roles are considered highly privileged and should be protected accordingly, adding that following Veeam’s recommended Security Guidelines further reduces exploitability. That guidance matters, but it is not a substitute for patching. Privilege requirements lower the theoretical attack surface, but in environments where role assignments are broad or where an attacker has already achieved initial access through phishing or credential theft, a privileged-role requirement is a modest barrier.
Administrators running Veeam Backup and Replication version 13.0 or any earlier v13 build should prioritise updating to version 13.0.1.2067, which addresses the full set of disclosed vulnerabilities including the three critical 2026 CVEs. Those already on 13.0.1.1071 still need to apply the second patch for the newer critical flaws. The patches are available as standard updates for licensed VBR users at no additional cost.
Is Veeam Backup and Replication safe to use right now?
Veeam Backup and Replication is safe to use once patched to version 13.0.1.2067. No evidence of active exploitation of these specific vulnerabilities was reported at the time of disclosure. However, unpatched instances running v13.0 or earlier v13 builds remain at serious risk, particularly in environments where Backup, Tape Operator, or Backup Administrator roles are broadly assigned.
What CVSS score makes a vulnerability critical?
The Common Vulnerability Scoring System classifies vulnerabilities rated 9.0 to 10.0 as Critical. Two of the newly patched Veeam flaws — CVE-2026-21669 and CVE-2026-21708 — carry CVSS scores of 9.9, placing them near the maximum possible severity. A score this high typically indicates that exploitation could lead to complete system compromise with minimal attacker prerequisites beyond authentication.
Why do ransomware groups target backup software specifically?
Ransomware operators target backup software because destroying or encrypting backups removes the victim’s primary recovery option, dramatically increasing the likelihood of a ransom payment. Veeam Backup and Replication is a frequent target because of its widespread deployment across enterprises and MSPs. Past ransomware campaigns exploiting Veeam flaws include those attributed to Frag, Akira, Fog, Cuba, and FIN7-linked groups.
The pattern here is consistent and well-established: Veeam discloses, attackers weaponise, enterprises scramble. The only variable is how quickly administrators respond. With CVSS 9.9 scores on the board and a ransomware ecosystem that has demonstrated it will exploit Veeam vulnerabilities within weeks of disclosure, version 13.0.1.2067 needs to be in production before the end of the week — not the end of the quarter.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
