CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Veeam Patches Multiple Critical RCE Vulnerabilities in Backup & Replication

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software, including seven new RCE flaws. The latest updates patch vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.

Timeline

  1. 13.03.2026 06:15 1 articles · 23h ago

    Veeam warns of increased threat actor activity post-patch release

    Veeam has warned that threat actors often begin developing exploits shortly after patches are released. The company advises admins to upgrade the software to the latest release as soon as possible to mitigate the risk of exploitation.

    Show sources
    Open in new tab
  2. 12.03.2026 18:59 2 articles · 1d ago

    Veeam patches new critical RCE vulnerabilities in Backup & Replication

    Veeam has patched four new critical RCE vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708) in its Backup & Replication software. These flaws allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. The vulnerabilities are resolved in versions 12.3.2.4465 and 13.0.1.2067. Veeam warns admins to upgrade to the latest release promptly to mitigate exploitation risks. The article also details three additional critical vulnerabilities (CVE-2026-21668, CVE-2026-21671, and CVE-2026-21672) that allow various forms of remote code execution and privilege escalation.

    Show sources
    Open in new tab
  3. 07.01.2026 15:06 2 articles · 2mo ago

    Ransomware gangs target Veeam Backup & Replication servers

    Veeam Backup & Replication (VBR) is popular among mid-sized to large enterprises and managed service providers. Ransomware gangs target VBR servers to simplify data theft and block restoration efforts. Cuba ransomware gang and FIN7 have been linked to attacks targeting VBR vulnerabilities. Frag ransomware exploited CVE-2024-40711 in VBR, also used in Akira and Fog ransomware attacks. Veeam products are used by more than 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.

    Show sources
    Open in new tab
  4. 07.01.2026 12:41 2 articles · 2mo ago

    Veeam Patches Critical RCE Vulnerability in Backup & Replication

    Veeam has released security updates to address multiple vulnerabilities in its Backup & Replication software, including a critical RCE flaw (CVE-2025-59470) with a CVSS score of 9.0. The flaw allows Backup or Tape Operators to execute code as the postgres user. Three additional vulnerabilities with CVSS scores ranging from 6.7 to 7.2 were also patched. All vulnerabilities affect versions up to 13.0.1.180 and have been fixed in version 13.0.1.1071. Veeam adjusted the severity rating of CVE-2025-59470 to high due to the required Backup or Tape Operator roles for exploitation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Unauthenticated RCE Flaw in SmarterMail Patched

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

Open in new tab

Chainlit Framework Vulnerabilities Expose AI Application Infrastructure

Two high-severity vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025, and patched on December 24, 2025, with the release of Chainlit version 2.9.4. Chainlit, widely used for building conversational AI applications, has seen significant adoption with over 7.3 million downloads to date, including 220,000 in the past week alone. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments, particularly in enterprise deployments and academic institutions.

Open in new tab

Critical RCE flaw in HPE OneView software actively exploited

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Additionally, HPE has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including a critical authentication bypass vulnerability (CVE-2026-23813) that allows unauthenticated attackers to reset admin passwords. HPE has not found publicly available exploit code or evidence of exploitation in the wild.

Open in new tab

Active Exploitation of Gogs Zero-Day Vulnerability

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) catalog, and Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by February 2, 2026. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab