{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21672", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.872Z", "datePublished": "2026-03-12T16:26:52.213Z", "dateUpdated": "2026-03-13T03:55:47.412Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"version": "12.3.2", "status": "affected", "lessThan": "12.3.2", "versionType": "semver"}, {"version": "13.0.1", "status": "affected", "lessThan": "13.0.1", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.213Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21672"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:47.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T17:27:26.063042Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:27:35.885Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"status": "affected", "version": "12.3.2", "lessThan": "12.3.2", "versionType": "semver"}, {"status": "affected", "version": "13.0.1", "lessThan": "13.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.213Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21672", "state": "PUBLISHED", "dateUpdated": "2026-03-13T03:55:47.412Z", "dateReserved": "2026-01-02T15:00:02.872Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-12T16:26:52.213Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers."}], "id": "CVE-2026-21672", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:35.633", "references": [{"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4830"}, {"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4831"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.2,12.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.1,13.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Backup and Recovery", "source": "cna", "vendor": "Veeam"}, "product": "backup_and_recovery", "vendor": "veeam"}], "analysis": {"en": {"generated_at": "2026-03-26T01:55:13.148047+00:00", "value": {"mitigation_remediation": ["Apply the most recent Veeam Backup & Replication update that addresses the local privilege escalation flaw (see Veeam references).", "Confirm the update installation by checking the product version number.", "Restrict local administrative rights and enforce least\u2011privilege for user accounts that run Veeam services.", "Monitor audit logs for unusual activity or repeated elevation attempts."], "summary": {"action": "Immediate Patch", "impact": "Local privilege escalation on Windows Veeam Backup & Replication servers"}, "threat_synthesis": {"affected_systems": "Veeam Backup & Replication for Windows. No specific affected versions are listed in the CNA data, so all installations prior to the update are potentially vulnerable.", "description_and_impact": "A flaw in Windows-based Veeam Backup & Replication allows a user with local access to elevate privileges to administrative levels. This local privilege escalation means an attacker who can execute code or commands locally could gain full control of the server, enabling compromise of data confidentiality, integrity, and availability. The weakness is classified as improper user access control (CWE-284) and incorrect file permissions (CWE-732).", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating high severity. EPSS suggests a very low probability of exploitation (<1%). It is not yet listed in the CISA KEV catalog. Because the issue is a local privilege escalation, the attacker must have some local presence or user credentials; remote exploitation without local foothold is not supported by the available information."}}}}, "created": "2026-03-13T09:51:11.963595+00:00", "updated": "2026-03-26T13:55:47.926159+00:00", "vendors": ["veeam", "veeam$PRODUCT$backup_and_recovery"]}