{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21666", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.871Z", "datePublished": "2026-03-12T15:09:39.180Z", "dateUpdated": "2026-03-13T03:55:43.772Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "Backup and Replication", "versions": [{"version": "12.3.2", "status": "affected", "lessThan": "12.3.2", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T15:09:39.180Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21666"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:43.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T15:32:33.135548Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:32:14.640Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Backup and Replication", "versions": [{"status": "affected", "version": "12.3.2", "lessThan": "12.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.veeam.com/kb4830"}], "descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T15:09:39.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21666", "state": "PUBLISHED", "dateUpdated": "2026-03-12T15:32:37.291Z", "dateReserved": "2026-01-02T15:00:02.871Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-12T15:09:39.180Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C1376E5-9691-4087-B594-B03F061BE3C8", "versionEndExcluding": "12.3.2.4465", "versionStartIncluding": "12.0.0.1402", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server."}, {"lang": "es", "value": "Una vulnerabilidad que permite a un usuario de dominio autenticado realizar ejecuci\u00f3n remota de c\u00f3digo (RCE) en el servidor de copia de seguridad."}], "id": "CVE-2026-21666", "lastModified": "2026-03-31T01:02:57.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T15:16:13.007", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4830"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Backup and Replication", "source": "cna", "vendor": "Veeam"}, "product": "backup_and_replication", "vendor": "veeam"}], "analysis": {"en": {"generated_at": "2026-03-18T14:43:55.792260+00:00", "value": {"mitigation_remediation": ["Apply the latest Veeam patch or upgrade to the corrected version as released in the Veeam advisory.", "If a patch is unavailable, restrict or remove the domain user\u2019s administrative privileges on the Backup Server to mitigate the RCE vector.", "Enable and monitor audit logging to detect any anomalous activity from domain accounts against the Backup Server."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Veeam Backup and Replication. Specific affected versions are not listed in the supplied data; therefore, users of any installed version of the product should review the Veeam advisory for more precise version coverage.\n", "description_and_impact": "A flaw in Veeam Backup and Replication allows an authenticated domain user to execute arbitrary code on the backup server. The vulnerability can be abused to take full control of the server, compromising confidentiality, integrity, and availability of all backup data and potentially the entire network infrastructure. The weakness is identified as CWE-284 (Improper Access Control). The CVSS score of 10 reflects the maximum severity of this RCE. No additional details about input handling or cryptographic errors are provided.\n", "risk_and_exploitability": "The CVSS rating indicates absolute severity, but the EPSS score of less than 1% suggests that, within the current observable exploitation landscape, this vulnerability is not widely targeted. The vulnerability requires a user to be authenticated in the domain, so it is not an unauthenticated, network-wide threat. Since it is not listed in the CISA KEV catalog, no known public exploits are documented. The attack path therefore hinges on an insider or compromised domain user account.\n"}}}}, "created": "2026-03-13T09:53:06.757509+00:00", "updated": "2026-03-20T15:49:43.554114+00:00", "vendors": ["veeam", "veeam$PRODUCT$backup_and_replication"]}