{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21672", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.872Z", "datePublished": "2026-03-12T16:26:52.213Z", "dateUpdated": "2026-03-13T03:55:47.412Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"version": "12.3.2", "status": "affected", "lessThan": "12.3.2", "versionType": "semver"}, {"version": "13.0.1", "status": "affected", "lessThan": "13.0.1", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.213Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21672"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:47.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T17:27:26.063042Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:27:35.885Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"status": "affected", "version": "12.3.2", "lessThan": "12.3.2", "versionType": "semver"}, {"status": "affected", "version": "13.0.1", "lessThan": "13.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.213Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21672", "state": "PUBLISHED", "dateUpdated": "2026-03-13T03:55:47.412Z", "dateReserved": "2026-01-02T15:00:02.872Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-12T16:26:52.213Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "id": "CVE-2026-21672", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:35.633", "references": [{"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4830"}, {"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4831"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.2,12.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.1,13.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Backup and Recovery", "source": "cna", "vendor": "Veeam"}, "product": "backup_and_recovery", "vendor": "veeam"}], "analysis": {"en": {"generated_at": "2026-03-25T14:10:48.802532+00:00", "value": {"mitigation_remediation": ["Apply the official Veeam security update (KB-4830 or KB-4831) to all Windows Veeam Backup & Replication servers.", "Restart the Veeam Backup & Replication services after patching to ensure changes take effect.", "Review and remove any unnecessary local accounts that have administrative rights on the servers.", "Enforce the principle of least privilege by limiting local administrator access to essential personnel only.", "Monitor Windows event logs for unusual privilege escalation or authentication attempts."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Veeam Backup & Replication installations on Windows servers are affected. No specific product versions are listed in the CVE data; administrators should review all deployed versions and ensure they are patched.", "description_and_impact": "A flaw in Windows-based Veeam Backup & Replication allows a local user to elevate privileges to administrator level. This gives an attacker unrestricted access to modify backup data, install malware, or alter system configuration, thereby exposing both confidentiality and integrity of backup assets.", "risk_and_exploitability": "With a CVSS score of 8.8 this vulnerability is high severity, and an EPSS score of less than 1% suggests a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is local access to the host, inferred from the description, meaning any user with local login rights could attempt the privilege escalation. Because the flaw allows full administrative control, the potential damage is extensive if exploited."}}}}, "created": "2026-03-13T09:51:11.963595+00:00", "updated": "2026-03-25T14:44:45.349525+00:00", "vendors": ["veeam", "veeam$PRODUCT$backup_and_recovery"]}