How to find Veeam software on your network

Latest Veeam Software vulnerability: CVE-2026-44963 #

Veeam Software disclosed that certain versions of Veeam Backup & Replication contain a vulnerability that allows an authenticated domain user to achieve remote code execution (RCE) on the Backup Server. Additional technical details have not been released at this time. This vulnerability has been designated CVE-2026-44963 and has been rated critical with a CVSS score of 9.4.

The following versions are affected:

• Veeam Backup & Replication 12.x: Versions prior to 12.3.2.4854.

What is Veeam Backup & Replication? #

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Veeam Backup & Replication 12.x: Version 12.3.2.4854 or later.
• All older, unsupported product versions: A supported, fixed version.

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication")

March 2026: CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708 #

Veeam Software disclosed in two advisories that multiple vulnerabilities have been identified in Veeam Backup & Replication which could allow for remote code execution (RCE), privilege escalation, and credential theft.

Version 12.3.x Vulnerabilities

• CVE-2026-21666 & CVE-2026-21667: Allows a remote, low-privileged authenticated domain user to perform RCE on the Backup Server. The vulnerabilities designated CVE-2026-21666 and CVE-2026-21667 have been rated critical with a CVSS score of 9.9.
• CVE-2026-21668: Allows a remote, low-privileged authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. This vulnerability has been designated CVE-2026-21668 and has been rated high with a CVSS score of 8.8.

Version 13.0.x Vulnerabilities

• CVE-2026-21669: Allows a remote, low-privileged authenticated domain user to perform RCE on Windows-based Backup Servers. This vulnerability has been designated CVE-2026-21669 and has been rated critical with a CVSS score of 9.9.
• CVE-2026-21670: Allows a remote, low-privileged user to extract saved SSH credentials from Windows-based servers or the Veeam Software Appliance. This vulnerability has been designated CVE-2026-21670 and has been rated high with a CVSS score of 7.7.
• CVE-2026-21671: Allows a remote, high-privileged user with the "Backup Administrator" role to perform RCE in high availability (HA) deployments. This vulnerability has been designated CVE-2026-21671 and has been rated critical with a CVSS score of 9.1.

Vulnerabilities Affecting Both 12.3.x and 13.0.x

• CVE-2026-21672: A vulnerability allowing local privilege escalation on Windows-based Backup Servers. This vulnerability has been designated CVE-2026-21672 and has been rated high with a CVSS score of 8.8.
• CVE-2026-21708: Allows a remote, low-privileged user with the "Backup Viewer" role to perform RCE as the postgres user. This vulnerability has been designated CVE-2026-21708 and has been rated critical with a CVSS score of 9.9.

The following versions are affected:

• Veeam Backup & Replication versions 12.3.x prior to 12.3.2.4465
• Veeam Backup & Replication versions 13.0.x prior to 13.0.1.2067

What is Veeam Backup & Replication? #

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Veeam Backup & Replication versions 12.3.x upgrade to version 12.3.2.4465 or later
• Veeam Backup & Replication versions 13.0.x upgrade to version 13.0.1.2067 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication")

November 2025: CVE-2025-48983, and CVE-2025-48984 #

Veeam Software has disclosed two remote code execution (RCE) vulnerabilities affecting certain versions of Veeam Backup & Replication. These flaws in different software components allow a remote, low-privileged adversary (authenticated domain user) to execute arbitrary code.

• The first method is via a vulnerability in the Mount service on domain-joined backup infrastructure servers. This vulnerability has been designated CVE-2025-48983 and has been rated critical with a CVSS score of 9.9.
• The second method is via a vulnerability in domain-joined backup servers. This vulnerability has been designated CVE-2025-48984 and has been rated critical with a CVSS score of 9.9.

The following versions are affected:

• Veeam Backup & Replication versions 12.x prior to 12.3.2.4165

What is Veeam Backup & Replication? #

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Veeam Backup & Replication versions 12.x upgrade to version 12.3.2.4165 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Veeam AND product:="Veeam Backup & Replication" AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)

Currently, runZero prebuilt integrations can identify these findings.

December 2024: #

Veeam has disclosed two vulnerabilities found internally within their Veeam Service Provider Console (VSPC).

• CVE-2024-42448 is rated Critical with a CVSS score of 9.9, which potentially allows remote code execution.
• CVE-2024-42449 is rated High with a CVSS score of 7.1, which potentially leaks the NTLM hash of a service account and allows for the deletion of files on the server.

What is the impact? #

Although there an no known exploitations of the vulnerabilities in the wild, CVE-2024-42448 could allow remote code execution by an attacker on the server. An attacker would need to launch their attack from an authorized VSPC management agent server in order to exploit either of the disclosed vulnerabilities.

Are updates or workarounds available? #

No mitigations are available for the disclosed vulnerabilities. Instead, the vendor is strongly encouraging customers to "update to the latest cumulative patch".

How to find potentially vulnerable systems with runZero #

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

has:"html.title" html.title:"Veeam Service Provider Console"

December 2022 #

Veeam published information on two vulnerabilities in the Veeam Backup & Replication product, originally reported by Nikita Petrov of Positive Technologies.

As of December 16th, CISA had announced the addition of two critical vulnerabilities (tracked as CVE-2022-26500 and CVE-2022-26501) to the KEV catalog. These CVEs were actively being exploited, putting systems at risk. It was critical that these systems were updated to patch these vulnerabilities as soon as possible.

Which versions were affected? #

These vulnerabilities affected Backup & Replication versions 9.5, 10, and 11, allowing for exploitation by attackers to achieve unauthenticated remote code execution via the Veeam Distribution Service API. Details on the vulnerabilities (identified as CVE-2022-26500 and CVE-2022-26501) were not published at the time of writing, though Veeam had assigned a "critical" CVSS score of 9.8.

Were updates made available? #

Patched releases of Veeam Backup & Replication were made available (see the "Solution" section). Guidance from Veeam was for administrators to update to these newer versions as soon as possible. If near-term updating was not possible, Veeam offered a temporary mitigation strategy via stopping-and-disabling the Veeam Distribution Service (see the "Solution->Notes" section).

How runZero users found potentially vulnerable Veeam instances #

We added the default port (9380) for the Veeam Distribution Service API to our runZero Explorer and Scanner. If you were using Explorer or Scanner v2.11.5 or later, you just needed to ensure you had performed a recent scan of your assets prior to running the query below. If you were using an older Explorer or Scanner, users simply added port 9380 to the "Included TCP ports" (under the Advanced tab) and then ran a scan to gather the necessary data.

From the Asset Inventory, users ran the following pre-built query to locate Veeam Distribution Service instances within their network that could have potentially ran vulnerable versions of Veeam Backup & Replication:

tcp_port:9380

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.