Cyber Posture

CVE-2026-21671

CriticalRCEUpdated

Published: 12 March 2026

Published
12 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0046 64.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21671 is a critical-severity Code Injection (CWE-94) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-21671 by requiring timely application of vendor patches to remediate the code injection vulnerability in Veeam Backup & Replication HA deployments.

SI-10 Information Input Validation good match
prevent

Prevents code injection (CWE-94) exploitation by enforcing information input validation at critical entry points in the vulnerable Veeam component.

AC-6 Least Privilege partial match
prevent

Reduces attack surface by applying least privilege to limit assignment of the Backup Administrator role necessary for RCE exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows authenticated remote code execution via code injection in Veeam Backup & Replication, a remote service, directly mapping to Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

Deeper analysisAI

CVE-2026-21671 is a code injection vulnerability (CWE-94) in high availability (HA) deployments of Veeam Backup & Replication, enabling an authenticated user with the Backup Administrator role to achieve remote code execution (RCE). Published on 2026-03-12, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and elevated privilege requirements.

Exploitation requires an authenticated attacker possessing the Backup Administrator role, who can then execute arbitrary code remotely over the network without user interaction. This grants high-impact consequences, including full compromise of confidentiality, integrity, and availability across the scoped components in HA environments.

Veeam's advisory at https://www.veeam.com/kb4831 provides details on patches and mitigation steps for this vulnerability.

Details

CWE(s)
CWE-94CWE-693

Affected Products

veeam
veeam backup \& replication
13.0.0.496 — 13.0.1.1071

CVEs Like This One

CVE-2026-21669Same product: Veeam Veeam Backup \& Replication
CVE-2025-48984Same product: Veeam Veeam Backup \& Replication
CVE-2025-59470Same product: Veeam Veeam Backup \& Replication
CVE-2026-21666Same product: Veeam Veeam Backup \& Replication
CVE-2026-21667Same product: Veeam Veeam Backup \& Replication
CVE-2025-23120Same product: Veeam Veeam Backup \& Replication
CVE-2025-48983Same product: Veeam Veeam Backup \& Replication
CVE-2025-59468Same product: Veeam Veeam Backup \& Replication
CVE-2026-21668Same product: Veeam Veeam Backup \& Replication
CVE-2025-59469Same product: Veeam Veeam Backup \& Replication

References