bleepingcomputer.com
By Sergiu Gatlan
March 12, 2026

Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.

VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.

Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.

The fourth one (tracked as CVE-2026-21708) allows a Backup Viewer to gain remote code execution as the postgres user.

Veeam also addressed several high-severity security bugs that can be exploited to escalate privileges on Windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to manipulate arbitrary files on a Backup Repository.

These vulnerabilities were discovered during internal testing or reported through HackerOne and are resolved in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067.

Veeam also warned admins to upgrade the software to the latest release as soon as possible, since threat actors often begin developing exploits shortly after patches are released.

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company warned. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

VBR servers targeted in ransomware attacks
VBR is popular among managed service providers and mid-sized to large enterprises, even though ransomware gangs commonly target VBR servers because they can serve as a quick jumping-off point for lateral movement within breached networks, simplify data theft, and make it easy to block restoration efforts by deleting victims' backups.

The financially motivated FIN7 threat group (which previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups) and the Cuba ransomware gang have both been linked to past attacks targeting VBR vulnerabilities.

Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier and also used in Akira and Fog ransomware attacks starting in October 2024.

Veeam says its products are used by more than 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.

https://www.sonicwall.com/support/
Updated
September 22, 2025

Description

SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days.

Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.

We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.

TIP: Learn more by watching this helpful video guide here
Affected Products:

SonicWall Firewalls with preference files backed up in MySonicWall.com

Due to the sensitivity of the configuration files, we highly encourage customers to take the following steps immediately:

Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls: 
    If fields are blank (Figure 1): You are NOT at risk.
    A screenshot of a computer AI-generated content may be incorrect.
    Figure 1 – Does Not Contain Backup

    If fields contain backup details (Figure 2): Please continue reading.
    Image
    Figure 2 – Contains Backups

Verify whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List, the affected serial numbers will be flagged with information such as Friendly Name, Last Download Date and Known Impacted Services.
Image

    If Serial Numbers are shown: the listed firewalls are at risk and should follow the containment and remediation guidelines: Essential Credential Reset
    NOTE: Impacted Services should be used for general guidance only.  The services listed were identified as being enabled and should be immediately reviewed.  ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT, OR BEFORE, THE TIME OF BACKUP SHOULD BE REVIEWED FOR EACH SERIAL NUMBER LISTED. 
    If you have used the Cloud Backup feature but no Serial Numbers are shown or only some of your registered Serial Numbers: 
            SonicWall will provide additional guidance in coming days to determine if your backup files were impacted.
            Please check back on this page for this additional information: MySonicWall Cloud Backup File Incident

Technical Containment and Mitigation Documentation can be found at:

Essential Credential Reset
Remediation Playbook

NOTE: Use the SonicWall Online Tool to identify services that require remediation. Follow the on-screen instructions to proceed. (UPE Mode is not supported.)

We have a dedicated support service team available to help you with any of these changes. If you need any assistance, please login to your MySonicWall account and open a case with our Support team. You can access your account at: https://www.mysonicwall.com/muir/login.
Change Log:

2025-9-17 4:40 AM PDT: Initial publish.
2025-9-17 2:45 PM PDT: Minor formatting update.
2025-9-17 8:45 PM PDT: Revised incident disclosure text to clarify scope (<5% of firewalls), encrypted credentials, no known leaks, and brute-force (not ransomware) attack.
2025-9-18  5:38 AM PDT: Changed formatting and provided detailed steps with screenshots.
2025-9-18  9:19 AM PDT: Updated guidance steps, navigation screenshots, and note clarifying review of impacted services.
2025-9-18 4:30 PM PDT: Updated KB text and image to clarify affected products, provide step-by-step backup verification instructions, and replace figures showing when backups are or are not present.
2025-9-19 1:15 PM PDT: No updates at this time.
2025-9-20 9:15 AM PDT: Added a Tip with a video guide and a Note linking to the SonicWall online tool for firewall configuration analysis and remediation guidance.
2025-9-22 8:20 AM PDT: No updates at this time.

Elle estimait que la société chargée du renouvellement de ses serveurs informatiques avait failli dans sa mission.

Veeam Backup Enterprise Manager Authentication Bypass

CVE-2023-45498/CVE-2023-45499 advisory

A ransomware affiliate is targeting publicly exposed Veritas installations to gain access to organizations.

Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.

Apple has launched its recent major security updates to the whole world.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

Apple has announced three new security features that will help protect logins, iMessage conversations, and data snyced by iCloud.

Apple introduced today Advanced Data Protection for iCloud, a new feature that uses end-to-end encryption to protect sensitive iCloud data, including backups, Photos, Notes, and more.