CVE-2026-21671
Published: 12 March 2026
Description
A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-21671 by requiring timely application of vendor patches to remediate the code injection vulnerability in Veeam Backup & Replication HA deployments.
Prevents code injection (CWE-94) exploitation by enforcing information input validation at critical entry points in the vulnerable Veeam component.
Reduces attack surface by applying least privilege to limit assignment of the Backup Administrator role necessary for RCE exploitation.
Security SummaryAI
CVE-2026-21671 is a code injection vulnerability (CWE-94) in high availability (HA) deployments of Veeam Backup & Replication, enabling an authenticated user with the Backup Administrator role to achieve remote code execution (RCE). Published on 2026-03-12, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and elevated privilege requirements.
Exploitation requires an authenticated attacker possessing the Backup Administrator role, who can then execute arbitrary code remotely over the network without user interaction. This grants high-impact consequences, including full compromise of confidentiality, integrity, and availability across the scoped components in HA environments.
Veeam's advisory at https://www.veeam.com/kb4831 provides details on patches and mitigation steps for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated remote code execution via code injection in Veeam Backup & Replication, a remote service, directly mapping to Exploitation of Remote Services (T1210).