Backup systems have become increasingly valuable targets for attackers, particularly ransomware operators, because compromising them can undermine recovery capabilities and enable data destruction or exfiltration at scale.
Flaws allow privilege escalation and RCE
The most serious issues addressed in the advisory are the RCE bugs that an authenticated domain user can exploit to execute code on the Veeam Backup Server or associated components. In practice, this means an attacker who already has some level of access within the environment, such as through compromised credentials, could leverage the flaws to take control of backup infrastructure. The three bugs are tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21708.
The advisory also details two high-severity flaws. CVE-2026-21668 allows attackers with repository access to manipulate arbitrary files on backup infrastructure, potentially affecting stored backup data, and CVE-2026-21672, a local privilege escalation flaw, could enable attackers who already have limited access to elevate their privileges on the Veeam servers.
