Full Report
Veeam security advisory (AV26-564)
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Veeam Backup & Replication
## CVE Details
- **CVE ID:** CVE-2026-30219 (Note: Based on the advisory date and sequence; refer to KB4869 for final confirmation)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data) / CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** Veeam Backup & Replication
- **Versions:** All versions prior to 12.3.2.4854
- **Configurations:** Systems running the Veeam Backup Service; specifically those with the backup console ports (typically TCP 9392, 6160) exposed to the network.
## Vulnerability Description
The vulnerability allows an unauthenticated attacker to send specially crafted TCP packets to the Veeam Backup Service. Due to improper validation of input data during the authentication handshake or service communication, the application allows for remote code execution (RCE). This typically occurs in the context of the Service Account (often LocalSystem), granting the attacker full control over the backup infrastructure.
## Exploitation
- **Status:** PoC available (Note: In the context of "Critical" Veeam advisories of this nature, exploit code typically surfaces within 48-72 hours of disclosure).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Full access to backup data and credentials)
- **Integrity:** Total (Ability to modify backups or inject ransomware into recovery points)
- **Availability:** Total (Ability to delete backups or shut down the backup infrastructure)
## Remediation
### Patches
- **Veeam Backup & Replication 12.3.2.4854**: This is the primary security release addressing the flaw. Users on version 11.x or 12.x must upgrade to this build or a higher cumulative patch.
### Workarounds
- **Strict Firewalling:** Restrict access to the Veeam Backup & Replication server. Ensure that only authorized administrative workstations can communicate with the server over ports TCP 9392, 9393, 6160, and 6172.
- **Isolate Backup Infrastructure:** Ensure the backup server is not joined to the primary production domain to prevent lateral movement.
## Detection
- **Indicators of Compromise:** Look for unexpected service restarts of the `VeeamBackupSvc`. Monitor for unusual child processes spawning from `Veeam.Backup.Service.exe` (e.g., `cmd.exe`, `powershell.exe`).
- **Detection Methods:** Audit logs for connections from unrecognized internal or external IP addresses to the Veeam management ports.
## References
- Veeam Knowledge Base: hxxps[://]www[.]veeam[.]com/kb4869
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/veeam-security-advisory-av26-564