CVE-2026-21668

High

Published: 12 March 2026

Published

12 March 2026

Modified

10 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21668 is a high-severity Missing Authorization (CWE-862) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing authenticated users from bypassing restrictions to manipulate arbitrary files on the backup repository.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws, such as this missing authorization vulnerability, through patching as recommended in the vendor advisory.

AC-6 Least Privilege partial match

prevent

Applies least privilege to authenticated domain users, limiting their access and reducing the impact of the authorization bypass on backup repository files.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Missing authorization enables remote authenticated file read (T1005), deletion (T1070.004), and modification (T1565.001) on the backup repository.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.

Deeper analysisAI

CVE-2026-21668 is a vulnerability that allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. Published on 2026-03-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization). The issue affects Veeam Backup Repository components, as detailed in the vendor's knowledge base.

An attacker with low-privilege access as an authenticated domain user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables manipulation of arbitrary files on the Backup Repository, resulting in high impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion.

For mitigation details, refer to the Veeam advisory at https://www.veeam.com/kb4830, which provides guidance on patches and workarounds.

Details

CWE(s): CWE-862 CWE-693

Affected Products

veeam

veeam backup \& replication

12.0.0.1402 — 12.3.2.4465

CVEs Like This One

CVE-2026-21669Same product: Veeam Veeam Backup \& Replication

CVE-2026-21671Same product: Veeam Veeam Backup \& Replication

CVE-2025-59469Same product: Veeam Veeam Backup \& Replication

CVE-2025-48984Same product: Veeam Veeam Backup \& Replication

CVE-2026-21667Same product: Veeam Veeam Backup \& Replication

CVE-2025-55125Same product: Veeam Veeam Backup \& Replication

CVE-2025-59468Same product: Veeam Veeam Backup \& Replication

CVE-2025-59470Same product: Veeam Veeam Backup \& Replication

CVE-2025-48983Same product: Veeam Veeam Backup \& Replication

CVE-2026-21670Same product: Veeam Veeam Backup \& Replication

References

https://www.veeam.com/kb4830
Vendor Advisory · support@hackerone.com