Cyber Posture

CVE-2026-21666

Critical

Published: 12 March 2026

Published
12 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0040 61.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21666 is a critical-severity Improper Access Control (CWE-284) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the RCE vulnerability by requiring timely patching of the specific flaw in Veeam Backup Server as outlined in the official advisory.

AC-3 Access Enforcement good match
prevent

Enforces approved access control policies to counter the improper access control (CWE-284) that enables authenticated domain users to achieve RCE.

AC-6 Least Privilege partial match
prevent

Limits privileges of low-privilege authenticated domain users to the minimum necessary, reducing the impact and likelihood of successful RCE exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

CVE enables remote code execution on Veeam Backup Server via improper access control for authenticated domain users, directly facilitating exploitation of public-facing applications (T1190) and remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

Deeper analysisAI

CVE-2026-21666 is a critical vulnerability (CVSS 3.1 score of 9.9) in Veeam Backup Server that enables remote code execution (RCE). It stems from improper access control (CWE-284) and allows an authenticated domain user to execute arbitrary code on the affected Backup Server. The issue was publicly disclosed on March 12, 2026.

An attacker with low privileges, such as an authenticated domain user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability, while changing the scope to affect the entire system.

For mitigation details, refer to the official Veeam advisory at https://www.veeam.com/kb4830, which provides guidance on patches and workarounds.

Details

CWE(s)
CWE-284

Affected Products

veeam
veeam backup \& replication
12.0.0.1402 — 12.3.2.4465

CVEs Like This One

CVE-2026-21667Same product: Veeam Veeam Backup \& Replication
CVE-2025-48983Same product: Veeam Veeam Backup \& Replication
CVE-2026-21671Same product: Veeam Veeam Backup \& Replication
CVE-2025-59470Same product: Veeam Veeam Backup \& Replication
CVE-2026-21669Same product: Veeam Veeam Backup \& Replication
CVE-2025-23120Same product: Veeam Veeam Backup \& Replication
CVE-2025-48984Same product: Veeam Veeam Backup \& Replication
CVE-2025-59468Same product: Veeam Veeam Backup \& Replication
CVE-2025-59469Same product: Veeam Veeam Backup \& Replication
CVE-2025-55125Same product: Veeam Veeam Backup \& Replication

References