CVE-2026-21667 – Veeam Backup & Replication Security Update for Multiple Critical Vulnerabilities

Veeam released security updates addressing several vulnerabilities in Veeam Backup & Replication, including CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708. These vulnerabilities impact core backup server operations, repository controls, and privilege handling within the platform. Multiple issues allow authenticated domain users to perform remote code execution on the backup server, while others enable privilege escalation or the ability to manipulate files in backup repositories. Because backup infrastructure interacts closely with production systems and recovery data, compromise of this platform could disrupt disaster recovery capabilities and expose sensitive data.

CVE-2026-21666 has a CVSS score of 10.0, which is Critical severity. CVE-2026-21667 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21668 has a CVSS score of 8.8, which is High severity. CVE-2026-21672 has a CVSS score of 8.8, which is High severity. CVE-2026-21708 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21669 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21671 has a CVSS score of 9.1, which is Critical severity. Several of these vulnerabilities enable authenticated users to execute code on backup servers or escalate privileges, which significantly increases the risk for environments where backup systems are integrated with domain credentials and administrative roles.