Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.
AnalysisAI
Arbitrary file write in Veeam Backup & Replication 13 (≤13.0.1) on Linux-based deployments allows an authenticated Backup Administrator to write files anywhere on the server filesystem, enabling code execution and full host compromise. CVSS 4.0 scores this 8.6 (High) due to network-reachable exploitation with high impact across confidentiality, integrity, and availability, though high privileges are required. No public exploit identified at time of analysis.
Technical ContextAI
Veeam Backup & Replication is an enterprise data-protection platform whose management server in version 13 supports Linux as a host OS. The flaw is classified as CWE-36 (Absolute Path Traversal), meaning an input that should resolve to a constrained directory is treated as an absolute path, letting the caller specify arbitrary destinations. The affected CPE is cpe:2.3:a:veeam:backup_and_replication and the issue is exposed through functionality available to the Backup Administrator role, which has broad operational privileges over backup jobs, repositories, and infrastructure components - but is not equivalent to OS root on the Linux host.
RemediationAI
Apply the fix per Veeam KB4852 (https://www.veeam.com/kb4852); upgrade beyond 13.0.1 once the vendor-released patched version is confirmed from that advisory - exact patched build is not enumerated in the provided intelligence, so treat 'Patch available per vendor advisory' as the confirmed status. Until patching is complete, restrict membership in the Backup Administrator role to a minimal, audited set of accounts and require MFA on the Veeam console, since the precondition for exploitation is holding that role. Place the Linux Veeam server on a management VLAN with network access limited to backup operators and infrastructure components (trade-off: temporarily disrupts admin workflows from general-purpose jumpboxes), and increase monitoring of filesystem writes outside expected Veeam working directories on the host. Rotate any credentials cached by the Veeam server after patching, on the assumption an attacker who reached this vulnerability could have planted persistence.
More in Backup And Replication
View allRemote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on th
Bypass of Windows Driver Signature Enforcement in Veeam Backup and Replication 12.x and Software Appliance 13.x allows l
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32713
GHSA-4x5p-f63m-rvrp