CVE-2026-21670
Published: 12 March 2026
Summary
CVE-2026-21670 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, directly addressing the insufficient protection of saved SSH credentials accessible to low-privileged users.
SI-2 requires timely identification, reporting, and correction of system flaws, enabling patching of the specific vulnerability that allows extraction of SSH credentials.
AC-6 enforces least privilege, limiting low-privileged users' access to sensitive credential storage and mitigating unauthorized extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables extraction of insufficiently protected saved SSH credentials (CWE-522), mapping to unsecured credentials access and private key retrieval.
NVD Description
A vulnerability allowing a low-privileged user to extract saved SSH credentials.
Deeper analysisAI
CVE-2026-21670 is a vulnerability that allows a low-privileged user to extract saved SSH credentials, classified under CWE-522 (Insufficiently Protected Credentials). It affects Veeam software, as detailed in the vendor's knowledge base article. The vulnerability received a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, low privilege requirements, no user interaction, changed scope, and high confidentiality impact.
A low-privileged user (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction. Successful exploitation enables the attacker to achieve high confidentiality impact (C:H) by extracting saved SSH credentials, potentially leading to unauthorized access to other systems or resources configured via those credentials.
The Veeam knowledge base article at https://www.veeam.com/kb4831 provides details on mitigation and patches for this vulnerability. Security practitioners should consult this advisory for specific remediation steps, such as applying the recommended updates.
Details
- CWE(s)