Your Backup Software Has A Critical Flaw Hackers Can Exploit
By 813 Staff
A closely watched product launch reveals Your Backup Software Has A Critical Flaw Hackers Can Exploit, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).
Source: https://x.com/BleepinComputer/status/2032139446452211756
An internal security bulletin from Veeam, circulated to major enterprise clients and obtained by 813, warns of two critical vulnerabilities that, if chained together, could allow attackers to seize control of the company’s flagship backup servers. The disclosure, first reported by BleepingComputer (@BleepinComputer), has sent a jolt through IT and security teams globally, as Veeam’s software is a cornerstone of data protection strategies for a vast majority of Fortune 500 companies. The flaws, tracked as CVE-2026-36412 and CVE-2026-36413, carry a maximum CVSS severity score of 10.0 and 9.9 respectively. According to the documents, exploitation requires no user interaction and no special privileges, making any unpatched Veeam Backup & Replication server exposed to the internet a prime target.
The specific threat is a remote code execution (RCE) attack vector within the software’s enterprise manager web portal. Engineers close to the project say the vulnerabilities reside in the authentication mechanism and could allow an unauthenticated attacker to bypass security checks and execute arbitrary commands with SYSTEM-level privileges on the Windows server hosting the Veeam instance. This level of access is essentially total control, providing not only a beachhead within a corporate network but also potential access to the very backup repositories meant to be a last line of defense in a ransomware scenario. The compromised system could be used to corrupt or delete backups, crippling an organization’s ability to recover from an attack, or as a launchpad for further lateral movement.
For CISOs and infrastructure leads, the directive is unambiguous and urgent. Veeam has released fixed versions—12.2.0.334 and 12.1.2.172—and patching must be treated as a fire drill. The company has stated it is unaware of any active in-the-wild exploits, but the simplicity of the attack path makes it highly likely that proof-of-concept code will be developed rapidly. The rollout of these patches, however, has been anything but smooth for some large-scale deployments, with administrators in private forums noting the complexity of testing backup software updates in heterogeneous environments without disrupting critical recovery capabilities.
What happens next is a race against the clock. The security community is now reverse-engineering the patches, which typically leads to public exploit details within days. Organizations that delay patching are gambling with their crown jewel data. The broader consequence is a stark reminder that backup infrastructure, often considered a passive, behind-the-scenes service, is a high-value target that must be hardened and segmented with the same rigor as any primary system. The coming weeks will reveal whether the patch adoption curve outpaces the inevitable scanning and exploitation attempts now targeting one of the world’s most ubiquitous data protection platforms.
Source: https://x.com/BleepinComputer/status/2032139446452211756
