{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21667", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.871Z", "datePublished": "2026-03-12T15:09:39.148Z", "dateUpdated": "2026-03-13T03:55:44.508Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}], "affected": [{"defaultStatus": "affected", "vendor": "Veeam", "product": "Backup and Replication", "versions": [{"version": "12.3.2", "status": "unaffected", "lessThan": "12.3.2", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T15:09:39.148Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21667"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:44.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21667", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T15:33:19.550557Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:33:12.372Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Backup and Replication", "versions": [{"status": "unaffected", "version": "12.3.2", "lessThan": "12.3.2", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.veeam.com/kb4830"}], "descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T15:09:39.148Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21667", "state": "PUBLISHED", "dateUpdated": "2026-03-12T15:33:23.006Z", "dateReserved": "2026-01-02T15:00:02.871Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-12T15:09:39.148Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C1376E5-9691-4087-B594-B03F061BE3C8", "versionEndExcluding": "12.3.2.4465", "versionStartIncluding": "12.0.0.1402", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}, {"lang": "es", "value": "Una vulnerabilidad que permite a un usuario de dominio autenticado realizar ejecuci\u00f3n remota de c\u00f3digo (RCE) en el servidor de copia de seguridad."}], "id": "CVE-2026-21667", "lastModified": "2026-03-31T01:01:37.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T15:16:13.133", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4830"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[12.3.2,12.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Backup and Replication", "source": "cna", "vendor": "Veeam"}, "product": "backup_and_replication", "vendor": "veeam"}], "analysis": {"en": {"generated_at": "2026-03-31T05:51:58.942340+00:00", "value": {"mitigation_remediation": ["Apply the latest Veeam patch or update to a fixed release as soon as it is available.", "If a patch is not yet released, constrain the domain user\u2019s permissions on the Backup Server to the minimum required for backup operations.", "Actively monitor Backup Server logs for unusual authentication or command execution activity.", "Maintain strong network segmentation and firewall rules to limit external exposure of the backup infrastructure."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Veeam Backup and Replication. Specific version information was not disclosed, so all variants running in an environment where domain users have normal login rights are potentially vulnerable.", "description_and_impact": "An authenticated domain user can exploit a flaw in Veeam Backup and Replication to execute arbitrary code on the Backup Server. The vulnerability is an access control weakness that allows trusted users to run commands with the server\u2019s privileges. Successful exploitation would let an attacker compromise the whole backup environment, potentially exposing stored backup data and allowing further lateral movement.", "risk_and_exploitability": "The CVSS score of 10 indicates critical damage potential, while the EPSS score under 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not catalogued on KEV lists. Exploitation requires the attacker to have valid domain credentials and access to the backup server; consequently, the attack vector is internal and authenticated. Once authenticated, the attacker can launch the remote code execution to gain full control of the backup server."}}}}, "created": "2026-03-13T09:53:07.586408+00:00", "updated": "2026-03-31T20:09:36.051163+00:00", "vendors": ["veeam", "veeam$PRODUCT$backup_and_replication"]}