Attack Chain

1. An attacker gains initial access to a system with Veeam Backup & Replication installed.
2. The attacker exploits CVE-2026-32996 to achieve privilege escalation within the Veeam application.
3. Using elevated privileges, the attacker gains unauthorized access to Veeam configuration files.
4. The attacker modifies backup job settings, potentially excluding critical data or injecting malicious code into backups.
5. The attacker exploits CVE-2026-32997 to further compromise data integrity, potentially corrupting backup files.
6. The attacker leverages the compromised Veeam infrastructure to access sensitive data stored in backup repositories.
7. The attacker exfiltrates sensitive data or deploys malicious code to systems during restoration processes.

Impact

Successful exploitation of these vulnerabilities could lead to a significant compromise of data integrity and confidentiality. An attacker could gain unauthorized access to sensitive data, modify or delete backups, and potentially use the compromised Veeam infrastructure to launch further attacks against the organization. The vulnerabilities affect Veeam Backup & Replication versions prior to 13.0.2.29, potentially impacting a large number of organizations relying on Veeam for data protection.

Recommendation

• Upgrade Veeam Backup & Replication to version 13.0.2.29 or later to address CVE-2026-32996 and CVE-2026-32997.
• Deploy the Sigma rules provided below to detect potential exploitation attempts.
• Monitor Veeam Backup & Replication logs for suspicious activity related to configuration changes or unauthorized access, enabling the appropriate logging level in Veeam.