Veeam released a new version of the Backup & Replication product with the number 13.0.1.2067 addressing some critical security issues.

You can find more info in the following KB 4831.

CVE-2026-21669, CVSS v3.1 Score: 9.9 – A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Affects Windows-based servers.

CVE-2026-21670, CVSS v3.1 Score: 7.7 – A vulnerability allowing a low-privileged user to extract saved SSH credentials.
Affects Windows-based servers and Veeam Software Appliance as well.

CVE-2026-21671, CVSS v3.1 Score: 9.1 – A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.
This vulnerability affects only Veeam Software Appliance type of installation.

CVE-2026-21672, CVSS v3.1 Score: 8.8 – A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
Affects only Windows-based installations.

CVE-2026-21708, CVSS v3.1 Score: 9.9 – A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
Affects both types of Veeam Backup Server.

As you can see, no matter the installation you’re using – Windows-based backup server or Veeam Software Appliance – it’s time to update ASAP.

Although this is not the topic of the vulnerabilities above, let me remind you that a production domain-joined VBR server is not a best practice. As for me, I will use VSA in all my future installations because it’s a really high-security appliance, which has already closed many vectors of possible attacks.