Skip to content
Threat Feed
critical advisory

Multiple Critical Vulnerabilities in Veeam Backup & Replication Allow Remote Code Execution

Multiple critical vulnerabilities in Veeam Backup & Replication, including CVE-2026-21666, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708, allow for remote code execution, privilege escalation, and arbitrary file manipulation by authenticated users, potentially leading to a complete compromise of the backup infrastructure.

On March 13, 2026, the Centre for Cybersecurity Belgium (CCB) issued an advisory regarding multiple critical vulnerabilities affecting Veeam Backup & Replication versions 12.3.2.4165 and earlier, as well as version 13.0.1.1071. These vulnerabilities, including CVE-2026-21666, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708, can be exploited by authenticated domain users or low-privileged users to achieve remote code execution, bypass…

Detection coverage 2

Detect Veeam Backup Repository File Manipulation

high

Detects attempts to manipulate files within the Veeam Backup Repository, potentially indicating exploitation of CVE-2026-21668.

sigma tactics: defense_evasion techniques: T1078 sources: file_event, windows

Detect Suspicious Processes Spawned by Veeam Executables

high

Detects the creation of suspicious processes (e.g., cmd.exe, powershell.exe) by Veeam executables, which could indicate exploitation of RCE vulnerabilities like CVE-2026-21666, CVE-2026-21669, and CVE-2026-21671.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →