PatchSiren cyber security CVE debrief
CVE-2026-21672 Veeam CVE debrief
CVE-2026-21672 is a high-severity local privilege escalation issue affecting Windows-based Veeam Backup & Replication servers. The supplied NVD data rates it 8.8 (HIGH) and points to vendor KB references for remediation guidance. Because the attack requires local access and low privileges, the main risk is post-compromise escalation on systems already reachable by an attacker or untrusted user.
- Vendor
- Veeam
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-05-10
Who should care
Veeam Backup & Replication administrators, Windows server owners, IT operations teams, and defenders responsible for privilege and access controls on backup infrastructure.
Technical summary
The supplied NVD record describes CVE-2026-21672 as a local privilege escalation on Windows-based Veeam Backup & Replication servers. NVD’s CVSS vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates that an attacker needs local access and low privileges, but successful exploitation could have broad impact across confidentiality, integrity, and availability. NVD also associates the issue with CWE-538 and links to two Veeam knowledge base articles (KB4830 and KB4831) for vendor guidance.
Defensive priority
High priority for any Windows host running Veeam Backup & Replication, especially environments where non-admin local access exists or where backup servers are shared among multiple operators.
Recommended defensive actions
- Review the linked Veeam guidance in KB4830 and KB4831 and apply the vendor-recommended remediation as soon as it is validated for your environment.
- Inventory Windows-based Veeam Backup & Replication servers and confirm which installations are exposed to local users, delegated admins, or other interactive access.
- Restrict local and interactive access to backup servers to the minimum required accounts and remove unnecessary privileged group memberships.
- Monitor backup infrastructure for unusual privilege changes, new local administrators, suspicious service changes, and other signs of escalation activity.
- Validate that your vulnerability management records reflect the CVE publication date of 2026-03-12 and track the later 2026-05-10 metadata update separately from disclosure timing.
Evidence notes
All statements are limited to the supplied corpus: the CVE title/description, the NVD metadata, and the referenced Veeam KB links. The NVD entry lists the vulnerability status as "Awaiting Analysis," includes the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, and associates the issue with CWE-538. The corpus does not include affected version ranges, exploit details, or the contents of KB4830/KB4831, so those are not inferred here.
Official resources
Publicly disclosed in the CVE/NVD record on 2026-03-12, with the source metadata last modified on 2026-05-10. No KEV listing is present in the supplied data.