A critical security update has been released for Backup & Replication software to fix severe vulnerabilities that could allow attackers to execute remote code and escalate privileges.
Released on March 12, 2026, the latest security patch (Build 12.3.2.4465) is an essential update for administrators needing to secure their backup infrastructure against active threats.
Consistently applying fixes for Veeam backup software is a critical part of modern infrastructure security.
Critical Vulnerabilities Addressed
The update resolves three critical-severity vulnerabilities, each carrying a nearly maximum CVSS 3.1 score of 9.9.
These flaws present significant risks to enterprise backup environments:
CVE-2026-21666 (Critical 9.9): This vulnerability permits an authenticated domain user to execute arbitrary remote code directly on the Veeam Backup Server.
CVE-2026-21667 (Critical 9.9): Similar to the previous flaw, this issue also allows an authenticated domain user to trigger remote code execution (RCE) on the Backup Server, potentially leading to full system compromise.
CVE-2026-21708 (Critical 9.9): This critical flaw allows an attacker with Backup Viewer permissions to perform RCE as the internal PostgreSQL user, granting unauthorized control over backend database processes.
In addition to the critical RCE bugs, Veeam patched two high-severity vulnerabilities, both scoring 8.8 on the CVSS scale:
CVE-2026-21668 (High 8.8): This restriction bypass vulnerability enables an authenticated domain user to manipulate arbitrary files located on a Backup Repository, risking backup integrity.
CVE-2026-21672 (High 8.8): A local privilege escalation flaw affecting Windows-based Veeam Backup & Replication servers allows an attacker with limited local access to elevate their system privileges.
Technical Improvements and Fixes
Beyond patching the mentioned CVEs, build 12.3.2.4465 upgrades several core components to bolster overall system security.
The patch upgrades the Decode-uri-component to version 0.2.2, Newtonsoft.Json to 13.0.3, and Path-to-RegExp to 1.9.0.
The release also resolves several operational issues. For systems updating RHEL infrastructure servers with the DISA STIG profile enabled, the public GPG key used to validate Veeam packages will now be updated correctly.
Veeam recommends temporarily turning off the fapolicyd service during this update to ensure a smooth transition.
Furthermore, the update fixes a deserialization error that previously caused PostgreSQL item restores initiated from Enterprise Manager to fail.
Veeam strongly advises administrators to apply the security patch immediately. To verify your current version, open the Veeam Backup & Replication Console’s Main Menu and navigate to Help, then About.
Organizations currently running version 12.3.2 (builds 12.3.2.3617 or 12.3.2.4165) can download and apply a smaller dedicated patch file available as either an ISO or an EXE.
Deployments running older versions, such as 12.3.1 or earlier, must use the full installation ISO to upgrade to the secure 12.3.2.4465 build.
Always unblock the downloaded files before running the installer to prevent operation errors. Sharing professional technical news on these issues helps ensure these critical updates reach the administrators who need them most.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Veeam Patches Multiple Critical RCE Vulnerabilities on Backup Server appeared first on Cyber Security News.
