Cyber Resilience

CVE-2026-21708

CriticalUpdated

Published: 12 March 2026

Published
12 March 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0109 61.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21708 is a critical-severity SQL Injection (CWE-89) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21708 is a SQL injection vulnerability (CWE-89) that enables a Backup Viewer role to achieve remote code execution as the postgres user. The flaw affects Veeam backup software components that expose this role and interact with the postgres database, as indicated by the associated Veeam knowledge base references. It carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low privileges required, and changed scope with high impact on confidentiality and integrity.

An attacker who obtains or is granted Backup Viewer credentials can exploit the issue over the network to run arbitrary commands as the postgres user, resulting in broad database and host-level access within the affected environment.

Advisory and patch details are documented in the Veeam knowledge base articles at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831. The EPSS score remains low, with a current value of 0.0132 and a peak of 0.0152.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Low-privileged (Backup Viewer) remote code execution as postgres user directly enables exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48984Same product: Veeam Veeam Backup \& Replication
CVE-2026-21667Same product: Veeam Veeam Backup \& Replication
CVE-2025-48983Same product: Veeam Veeam Backup \& Replication
CVE-2026-21669Same product: Veeam Veeam Backup \& Replication
CVE-2025-59469Same product: Veeam Veeam Backup \& Replication
CVE-2025-59470Same product: Veeam Veeam Backup \& Replication
CVE-2026-21671Same product: Veeam Veeam Backup \& Replication
CVE-2025-55125Same product: Veeam Veeam Backup \& Replication
CVE-2025-23120Same product: Veeam Veeam Backup \& Replication
CVE-2026-21666Same product: Veeam Veeam Backup \& Replication

Affected Assets

veeam
veeam backup \& replication
12.0.0.1402 — 12.3.2.4465.

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the postgres-interfacing components, blocking the SQL injection that enables Backup Viewer RCE.

prevent

Enforces least privilege so the Backup Viewer role cannot execute arbitrary commands or access postgres-level operations even if credentials are obtained.

prevent

Ensures the Backup Viewer role's permitted actions are strictly enforced at the application boundary, preventing unauthorized escalation to postgres RCE.

References