CVE-2026-21667
Published: 12 March 2026
Summary
CVE-2026-21667 is a critical-severity Improper Access Control (CWE-284) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the Veeam Backup Server vulnerability, directly preventing RCE exploitation by authenticated domain users.
Access enforcement directly addresses the improper access control (CWE-284) flaw enabling low-privilege users to achieve RCE on the backup server.
Least privilege limits the access of authenticated domain users to the backup server, reducing the attack surface for this RCE vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote code execution on Veeam Backup Server via improper access control for authenticated low-privilege domain users, directly facilitating Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).
NVD Description
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
Deeper analysisAI
CVE-2026-21667 is a critical vulnerability in the Veeam Backup Server that enables an authenticated domain user to execute remote code (RCE). Classified under CWE-284 (Improper Access Control), it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability compromise with a changed scope.
An attacker with low-privilege access as an authenticated domain user can exploit this vulnerability remotely without user interaction. Successful exploitation grants arbitrary code execution on the Backup Server, potentially allowing full system compromise, data exfiltration, or lateral movement within the environment.
Veeam has published mitigation guidance in knowledge base article KB4830, available at https://www.veeam.com/kb4830. Security practitioners should consult this advisory for patching instructions and workarounds to address the vulnerability.
Details
- CWE(s)