{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21708", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.573Z", "datePublished": "2026-03-12T16:26:52.931Z", "dateUpdated": "2026-03-13T03:55:48.114Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"version": "12.3.2", "status": "affected", "lessThan": "12.3.2", "versionType": "semver"}, {"version": "13.0.1", "status": "affected", "lessThan": "13.0.1", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.931Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21708"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:48.114Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T17:27:51.896970Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:28:02.623Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Backup and Recovery", "versions": [{"status": "affected", "version": "12.3.2", "lessThan": "12.3.2", "versionType": "semver"}, {"status": "affected", "version": "13.0.1", "lessThan": "13.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.veeam.com/kb4831"}, {"url": "https://www.veeam.com/kb4830"}], "descriptions": [{"lang": "en", "value": "A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-12T16:26:52.931Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21708", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:28:06.760Z", "dateReserved": "2026-01-04T15:00:06.573Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-12T16:26:52.931Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user."}], "id": "CVE-2026-21708", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:36.683", "references": [{"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4830"}, {"source": "support@hackerone.com", "url": "https://www.veeam.com/kb4831"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.2,12.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.1,13.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Backup and Recovery", "source": "cna", "vendor": "Veeam"}, "product": "backup_and_recovery", "vendor": "veeam"}], "analysis": {"en": {"generated_at": "2026-03-26T01:54:59.691217+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for Veeam Backup and Recovery as detailed in the official advisories (KB4830 and KB4831).", "If patching cannot proceed immediately, restrict external network access to the Backup Viewer service and isolate the PostgreSQL instance to prevent unauthorized connections.", "After applying the fix, verify that the vulnerability has been remediated by following the validation steps provided in Veeam\u2019s release notes and consider scanning the environment for signs of exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Veeam Backup and Recovery, specifically the Backup Viewer component. All deployed instances that operate under the default installation context and run a PostgreSQL database component are susceptible. Version information is not explicitly listed, indicating that the issue may apply to multiple or all current releases until the vendor issues a fix.", "description_and_impact": "A vulnerability exists in Veeam Backup and Recovery that allows a Backup Viewer instance to execute arbitrary code with the privileges of the Postgres system user. This flaw enables an attacker to run malicious commands or compromise the database engine, potentially leading to full system compromise. The weakness falls under improper privilege management and code injection controls, reflected in CWE-269 and CWE-94. Because the vulnerability grants execution at the postgres user level, the impact is severe, enabling complete takeover of the affected host.", "risk_and_exploitability": "The CVSS base score of 10.0 signals maximum severity, while an EPSS probability of 1% indicates that exploitation is considered unlikely but possible. The vulnerability is not listed in the CISA KEV catalog, but its remote nature and high impact necessitate prompt action. Attackers would need remote access to a running Backup Viewer instance, potentially via network ports that expose the viewer service. Once accessed, the flaw can be leveraged to run arbitrary commands under the postgres user, providing a foothold for further lateral movement or data theft."}}}}, "created": "2026-03-13T09:51:10.422366+00:00", "updated": "2026-03-26T13:55:46.892480+00:00", "vendors": ["veeam", "veeam$PRODUCT$backup_and_recovery"]}