CVE-2026-21666
Published: 12 March 2026
Description
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring timely patching of the specific flaw in Veeam Backup Server as outlined in the official advisory.
Enforces approved access control policies to counter the improper access control (CWE-284) that enables authenticated domain users to achieve RCE.
Limits privileges of low-privilege authenticated domain users to the minimum necessary, reducing the impact and likelihood of successful RCE exploitation.
Security SummaryAI
CVE-2026-21666 is a critical vulnerability (CVSS 3.1 score of 9.9) in Veeam Backup Server that enables remote code execution (RCE). It stems from improper access control (CWE-284) and allows an authenticated domain user to execute arbitrary code on the affected Backup Server. The issue was publicly disclosed on March 12, 2026.
An attacker with low privileges, such as an authenticated domain user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability, while changing the scope to affect the entire system.
For mitigation details, refer to the official Veeam advisory at https://www.veeam.com/kb4830, which provides guidance on patches and workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote code execution on Veeam Backup Server via improper access control for authenticated domain users, directly facilitating exploitation of public-facing applications (T1190) and remote services (T1210).