Cyber Resilience

CVE-2026-21671

CriticalRCE

Published: 12 March 2026

Published
12 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0133 67.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21671 is a critical-severity Code Injection (CWE-94) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21671 is a code injection vulnerability (CWE-94) in high availability (HA) deployments of Veeam Backup & Replication, enabling an authenticated user with the Backup Administrator role to achieve remote code execution (RCE). Published on 2026-03-12, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and elevated privilege requirements.

Exploitation requires an authenticated attacker possessing the Backup Administrator role, who can then execute arbitrary code remotely over the network without user interaction. This grants high-impact consequences, including full compromise of confidentiality, integrity, and availability across the scoped components in HA environments.

Veeam's advisory at https://www.veeam.com/kb4831 provides details on patches and mitigation steps for this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability allows authenticated remote code execution via code injection in Veeam Backup & Replication, a remote service, directly mapping to Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21669Same product: Veeam Veeam Backup \& Replication
CVE-2025-59470Same product: Veeam Veeam Backup \& Replication
CVE-2025-48984Same product: Veeam Veeam Backup \& Replication
CVE-2026-21667Same product: Veeam Veeam Backup \& Replication
CVE-2025-23120Same product: Veeam Veeam Backup \& Replication
CVE-2025-48983Same product: Veeam Veeam Backup \& Replication
CVE-2026-21666Same product: Veeam Veeam Backup \& Replication
CVE-2025-59468Same product: Veeam Veeam Backup \& Replication
CVE-2026-21708Same product: Veeam Veeam Backup \& Replication
CVE-2026-21668Same product: Veeam Veeam Backup \& Replication

Affected Assets

veeam
veeam backup \& replication
13.0.0.496 — 13.0.1.1071

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-21671 by requiring timely application of vendor patches to remediate the code injection vulnerability in Veeam Backup & Replication HA deployments.

prevent

Prevents code injection (CWE-94) exploitation by enforcing information input validation at critical entry points in the vulnerable Veeam component.

prevent

Reduces attack surface by applying least privilege to limit assignment of the Backup Administrator role necessary for RCE exploitation.

References