Skip to main content

Veeam Backup & Replication EUVDEUVD-2026-32713

| CVE-2026-32997 HIGH
Absolute Path Traversal (CWE-36)
2026-05-28 hackerone GHSA-4x5p-f63m-rvrp
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 07:00 vuln.today
CVSS changed
May 28, 2026 - 05:22 NVD
8.6 (HIGH)
CVE Published
May 28, 2026 - 04:01 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 04:01 nvd
HIGH 8.6

DescriptionCVE.org

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

AnalysisAI

Arbitrary file write in Veeam Backup & Replication 13 (≤13.0.1) on Linux-based deployments allows an authenticated Backup Administrator to write files anywhere on the server filesystem, enabling code execution and full host compromise. CVSS 4.0 scores this 8.6 (High) due to network-reachable exploitation with high impact across confidentiality, integrity, and availability, though high privileges are required. No public exploit identified at time of analysis.

Technical ContextAI

Veeam Backup & Replication is an enterprise data-protection platform whose management server in version 13 supports Linux as a host OS. The flaw is classified as CWE-36 (Absolute Path Traversal), meaning an input that should resolve to a constrained directory is treated as an absolute path, letting the caller specify arbitrary destinations. The affected CPE is cpe:2.3:a:veeam:backup_and_replication and the issue is exposed through functionality available to the Backup Administrator role, which has broad operational privileges over backup jobs, repositories, and infrastructure components - but is not equivalent to OS root on the Linux host.

RemediationAI

Apply the fix per Veeam KB4852 (https://www.veeam.com/kb4852); upgrade beyond 13.0.1 once the vendor-released patched version is confirmed from that advisory - exact patched build is not enumerated in the provided intelligence, so treat 'Patch available per vendor advisory' as the confirmed status. Until patching is complete, restrict membership in the Backup Administrator role to a minimal, audited set of accounts and require MFA on the Veeam console, since the precondition for exploitation is holding that role. Place the Linux Veeam server on a management VLAN with network access limited to backup operators and infrastructure components (trade-off: temporarily disrupts admin workflows from general-purpose jumpboxes), and increase monitoring of filesystem writes outside expected Veeam working directories on the host. Rotate any credentials cached by the Veeam server after patching, on the assumption an attacker who reached this vulnerability could have planted persistence.

Share

EUVD-2026-32713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy