VYPR
← All advisories
High severityNVD Advisory· Published May 28, 2026

CVE-2026-32997

CVE-2026-32997

Description

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated Backup Administrator can write arbitrary files on Linux Veeam Backup & Replication servers, leading to full compromise.

Vulnerability

The vulnerability exists in Veeam Backup & Replication version 13.0.1.2067 and all earlier version 13 builds on Linux-based Veeam Software Appliance [1]. An authenticated user with the Backup Administrator role can write arbitrary files to the server filesystem.

Exploitation

An attacker must have network access to the Veeam Backup & Replication server and possess valid credentials with the Backup Administrator role [1]. No user interaction is required. The attacker can exploit this by sending crafted requests to write files to arbitrary locations.

Impact

Successful exploitation allows the attacker to write arbitrary files, potentially leading to remote code execution, privilege escalation, or complete compromise of the backup server. The CVSS v3.1 score is 8.6 (High) with high impact on confidentiality, integrity, and availability [1].

Mitigation

Veeam has resolved this vulnerability in Veeam Backup & Replication version 13.0.2 [1]. Users should upgrade to this version or later. No workarounds are mentioned in the available reference. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.

References
  1. Vulnerabilities Resolved in Veeam Backup & Replication 13.0.2

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.