Veeam patches multiple critical Backup & Replication flaws that can lead to remote code execution

Veeam has released a security update for Backup & Replication that fixes five vulnerabilities, including three critical flaws that can lead to remote code execution on the backup server. The patched release is build 12.3.2.4465, published on March 12, 2026. Veeam says all earlier version 12 builds are affected.

The most severe issues are CVE-2026-21666, CVE-2026-21667, and CVE-2026-21708. Each carries a CVSS 3.1 score of 9.9. Two of them allow an authenticated domain user to perform remote code execution on the Backup Server, while the third allows a user with Backup Viewer permissions to execute code as the postgres user.

Veeam also fixed two high-severity bugs. CVE-2026-21668 allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. CVE-2026-21672 is a local privilege escalation flaw on Windows-based Veeam Backup & Replication servers. Both have a CVSS 3.1 score of 8.8.

The update matters because backup servers sit at the center of recovery operations. If attackers gain code execution on that infrastructure, they can target backups, repositories, credentials, and recovery workflows. Veeam warns that once patches and advisories become public, attackers often try to reverse engineer them to target systems that remain unpatched.

What Veeam fixed

Who needs to act

Admins running Veeam Backup & Replication 12 should treat this as a priority update. Veeam says the vulnerabilities affect Backup & Replication 12.3.2.4165 and all earlier version 12 builds. The fix starts with build 12.3.2.4465.

Organizations already on version 12.3.2 can apply the patch build. Older 12.x deployments need to move to the newer protected release path listed in Veeam’s release documentation. Veeam’s build matrix now shows 12.3.2.4465 as the March 12, 2026 patch release for version 12.

More than CVEs in this release

Veeam also bundled several component upgrades and operational fixes into the update. The company upgraded Decode-uri-component to 0.2.2, Newtonsoft.Json to 13.0.3, and Path-to-RegExp to 1.9.0.

The release also fixes a few product issues outside the security bulletin. These include a problem with GPG key updates on RHEL infrastructure servers running the DISA STIG profile, plus a PostgreSQL item restore issue in Enterprise Manager caused by a deserialization error. Veeam recommends temporarily disabling fapolicyd during updates on affected RHEL systems if that service is in use.

What admins should do now

• Check the installed build in the Veeam Backup & Replication console under Help > About
• Update to build 12.3.2.4465 or the latest supported secure release path
• Prioritize backup servers that are domain-connected or broadly accessible internally
• Review repository access and Backup Viewer permissions
• Verify post-update services, repositories, and restore operations
• Read the vendor advisory before scheduling maintenance

Veeam’s language in the advisory is direct. The company says customers should use the latest versions of its software and install all updates and patches without delay.

Quick summary

• Veeam patched five Backup & Replication flaws on March 12, 2026
• Three are critical RCE issues with CVSS scores of 9.9
• Two more are high-severity flaws rated 8.8
• The fixed version is Veeam Backup & Replication 12.3.2.4465
• All earlier version 12 builds are affected according to Veeam

FAQ