CVE-2026-21669 Veeam CVE debrief

Who should care

Administrators and security teams responsible for Veeam Backup & Replication, especially environments where authenticated domain users can interact with the Backup Server. Organizations running versions in the affected range should prioritize remediation.

Technical summary

NVD classifies the weakness primarily as CWE-94 (code injection) with a secondary CWE-693 entry. The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which aligns with a remotely reachable issue that becomes severe once an attacker has authenticated domain-user access. The NVD CPE criteria identify Veeam Backup & Replication versions starting with 13.0.0.496 and ending before 13.0.1.2067 as vulnerable.

Defensive priority

Immediate. The published severity is Critical (CVSS 9.9), and the attack path requires only authenticated access with no user interaction.

Recommended defensive actions

• Upgrade Veeam Backup & Replication to version 13.0.1.2067 or later.
• Verify whether any deployed instances match the affected NVD CPE range: 13.0.0.496 through 13.0.1.2066.
• Review domain-user access to the Backup Server and reduce unnecessary authenticated access.
• Monitor the Backup Server and related administrative activity for unexpected execution or configuration changes.
• Use the vendor advisory and NVD record to confirm remediation guidance and product scope before making changes.

Evidence notes

This debrief is based only on the supplied NVD record, the CVE record link, and the vendor advisory reference. The vulnerability description states that an authenticated domain user can achieve remote code execution on the Backup Server. NVD metadata supplies the affected version range (13.0.0.496 through before 13.0.1.2067), the CVSS vector, and the CWE classifications. The publication date used for timing context is 2026-03-12, and the modified date is 2026-05-10.

Official resources