PatchSiren cyber security CVE debrief
CVE-2026-32997 Veeam CVE debrief
A path traversal vulnerability in Veeam Backup & Replication allows authenticated users with the Backup Administrator role to write arbitrary files on Linux-based servers. The vulnerability stems from improper handling of absolute paths (CWE-36), enabling privileged file system manipulation. Published 2026-05-28 with CVSS 4.0 score 8.6 (HIGH). No known exploitation in the wild or ransomware campaign association. Affects Linux deployments specifically; Windows servers are not impacted.
- Vendor
- Veeam
- Product
- Backup and Replication
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Veeam Backup & Replication on Linux servers with multiple Backup Administrator accounts; security teams managing privileged access to backup infrastructure; compliance officers responsible for data protection controls; incident response teams monitoring backup system integrity
Technical summary
The vulnerability exists in Veeam Backup & Replication's file handling mechanisms on Linux platforms. An authenticated attacker with Backup Administrator privileges can supply absolute paths that bypass intended directory restrictions, resulting in arbitrary file write capability. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H) indicates network accessibility, low attack complexity, no user interaction, but requires high privileges—consistent with the Backup Administrator role constraint. Impact spans confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The attack surface is limited to authenticated administrative users, reducing exposure but not eliminating risk given the powerful capabilities granted to this role. Linux-specific implementation appears to lack path sanitization present in Windows variants.
Defensive priority
HIGH
Recommended defensive actions
- Apply Veeam security updates per KB4852 when available
- Restrict Backup Administrator role assignments to essential personnel only
- Monitor Linux Veeam servers for unexpected file modifications in critical system directories
- Review file integrity monitoring alerts on /etc, /bin, /lib, and /opt/veeam paths
- Validate backup server access logs for anomalous administrative activity
- Segment backup infrastructure from production networks to limit lateral movement
- Confirm Windows-based Veeam deployments are unaffected while maintaining patch readiness
Evidence notes
Vulnerability disclosed via HackerOne and published in NVD with 'Received' status. Official vendor advisory available through Veeam KB4852. CVSS 4.0 vector confirms network attack vector with high privileges required (PR:H) but no user interaction needed.
Official resources
-
CVE-2026-32997 CVE record
CVE.org
-
CVE-2026-32997 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28