VYPR

Vendor CVEs

Veeam

All CVEs

81 total · sorted by risk
  • CVE-2024-42448CriDec 12, 2024
    risk 0.69cvss 9.9epss 0.20

    From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

  • CVE-2024-39714CriSep 7, 2024
    risk 0.65cvss 9.9epss 0.01

    A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server.

  • CVE-2026-21708CriMar 12, 2026
    risk 0.64cvss 9.9epss 0.01

    A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

  • CVE-2026-21669CriMar 12, 2026
    risk 0.64cvss 9.9epss 0.01

    A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

  • CVE-2024-38650CriSep 7, 2024
    risk 0.64cvss 9.9epss 0.01

    An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server.

  • CVE-2024-1244CriJun 11, 2025
    risk 0.62cvss epss 0.00

    Improper input validation in the OSSEC HIDS agent for Windows prior to version 3.8.0 allows an attacker in with control over the OSSEC server or in possession of the agent's key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine…

  • CVE-2026-44963CriJun 9, 2026
    risk 0.61cvss epss 0.02

    A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

  • CVE-2026-32998CriMay 28, 2026
    risk 0.61cvss epss 0.00

    This vulnerability in Veeam Service Provider Console allows for remote code execution.

  • CVE-2026-21671CriMar 12, 2026
    risk 0.59cvss 9.1epss 0.01

    A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

  • CVE-2025-23114CriFeb 5, 2025
    risk 0.59cvss 9.0epss 0.01

    A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.

  • CVE-2026-21672HigMar 12, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

  • CVE-2026-21668HigMar 12, 2026
    risk 0.57cvss 8.8epss 0.01

    A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.

  • CVE-2026-32997HigMay 28, 2026
    risk 0.56cvss epss 0.01

    A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

  • CVE-2025-32406HigApr 8, 2025
    risk 0.56cvss 8.6epss 0.00

    An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response.

  • CVE-2024-39715HigSep 7, 2024
    risk 0.56cvss 8.5epss 0.01

    A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server.

  • CVE-2024-38651HigSep 7, 2024
    risk 0.56cvss 8.5epss 0.01

    A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server.

  • CVE-2025-22447HigMar 6, 2025
    risk 0.51cvss 7.8epss 0.00

    Incorrect access permission of a specific service issue exists in RemoteView Agent (for Windows) versions prior to v8.1.5.2. If this vulnerability is exploited, a non-administrative user on the remote PC may execute an arbitrary OS command with LocalSystem privilege.

  • CVE-2024-23774HigApr 30, 2024
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An unquoted Windows search path vulnerability exists in the KSchedulerSvc.exe and AMPTools.exe components. This allows local attackers to execute code of their choice with NT Authority\SYSTEM…

  • CVE-2024-23773HigApr 30, 2024
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file delete vulnerability exists in the KSchedulerSvc.exe component. Local attackers can delete any file of their choice with NT Authority\SYSTEM privileges.

  • CVE-2026-21670HigMar 12, 2026
    risk 0.50cvss 7.7epss 0.00

    A vulnerability allowing a low-privileged user to extract saved SSH credentials.

  • CVE-2026-32996HigMay 28, 2026
    risk 0.47cvss epss 0.00

    This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.

  • CVE-2024-42449HigDec 4, 2024
    risk 0.46cvss 7.1epss 0.05

    From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.

  • CVE-2023-27532KEVMar 10, 2023
    risk 0.25cvss epss 0.78

    Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

  • CVE-2022-26501KEVMar 17, 2022
    risk 0.24cvss epss 0.04

    Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

  • CVE-2024-48248KEVMar 4, 2025
    risk 0.20cvss epss 0.94

    NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).

  • CVE-2022-26500KEVMar 17, 2022
    risk 0.20cvss epss 0.06

    Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

  • CVE-2020-10915Apr 22, 2020
    risk 0.10cvss epss 0.87

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack…

  • CVE-2020-10914Apr 22, 2020
    risk 0.09cvss epss 0.47

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PerformHandshake method. The issue results from the…

  • CVE-2024-29849May 22, 2024
    risk 0.04cvss epss 0.17

    Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

  • CVE-2019-11569May 6, 2019
    risk 0.03cvss epss 0.02

    Veeam ONE Reporter 9.5.0.3201 allows CSRF.

  • CVE-2024-29855Jun 11, 2024
    risk 0.02cvss epss 0.22

    Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator

  • CVE-2024-29212May 13, 2024
    risk 0.02cvss epss 0.02

    Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

  • CVE-2020-15418Jul 28, 2020
    risk 0.02cvss epss 0.09

    This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper…

  • CVE-2023-38547Nov 7, 2023
    risk 0.01cvss epss 0.19

    A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

  • CVE-2026-21666Mar 12, 2026
    risk 0.00cvss epss 0.01

    A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

  • CVE-2026-21667Mar 12, 2026
    risk 0.00cvss epss 0.01

    A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

  • CVE-2025-48983Oct 30, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.

  • CVE-2025-48982Oct 30, 2025
    risk 0.00cvss epss 0.00

    This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.

  • CVE-2025-48984Oct 30, 2025
    risk 0.00cvss epss 0.01

    A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

  • CVE-2025-23082Jan 14, 2025
    risk 0.00cvss epss 0.00

    Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

  • CVE-2024-45204Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial…

  • CVE-2024-42451Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side.…

  • CVE-2024-42453Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially…

  • CVE-2024-45207Dec 4, 2024
    risk 0.00cvss epss 0.00

    DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it…

  • CVE-2024-42457Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in Veeam Backup & Replication allows users with certain operator roles to expose saved credentials by leveraging a combination of methods in a remote management interface. This can be achieved using a session object that allows for credential enumeration and…

  • CVE-2024-42452Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges.…

  • CVE-2024-45206Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources.

  • CVE-2024-40717Dec 4, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed…

  • CVE-2024-42456Dec 4, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result…

  • CVE-2024-42455Dec 4, 2024
    risk 0.00cvss epss 0.14

    A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete any file on the system with service…

Page 1 of 2