CVE-2026-21708

N/A

Published: 12 March 2026

Published

12 March 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score N/A

EPSS Score 0.0094 76.3th percentile

Risk Priority 1 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

Security Summary

CVE-2026-21708, published on 2026-03-12, is a critical vulnerability (CVSS 9.9, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) that allows a user with Backup Viewer privileges to perform remote code execution (RCE) as the postgres user. The flaw affects Veeam software components supporting the Backup Viewer role.

A low-privileged attacker possessing a Backup Viewer account can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation achieves RCE in the context of the postgres user, resulting in high-impact confidentiality, integrity, and availability violations with a changed scope.

Veeam advisories at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831 detail patches and mitigation steps for addressing this issue.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Low-privileged (Backup Viewer) remote code execution as postgres user directly enables exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.veeam.com/kb4830
support@hackerone.com
https://www.veeam.com/kb4831
support@hackerone.com