How is CVE-2026-32996 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path. Victim interaction (not-required): The exploit runs entirely under the attacker's control with no action required from another user. Attack complexity (info): The exploit is generally reliable but requires specific preconditions (AT:P) to be in place, such as a particular system state or configuration, rather than being unconditionally triggerable.

What is the impact of CVE-2026-32996?

Reads sensitive data from the local system, including credentials, backup metadata, and configuration files accessible to the elevated process. Modifies or deletes local files and system configuration, including backup job definitions and stored recovery points managed by Veeam Agent. Disrupts availability of the local Veeam Agent service and any scheduled backup or restore operations running on the host. Gains full control of the local Windows host, enabling persistence, lateral movement staging, or destruction of backup data.

Back to search

HIGHCVE-2026-32996Published 2026-05-28Modified 2026-05-29CNA hackerone

CVE-2026-32996: This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation

This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A local privilege escalation vulnerability affects Veeam Agent for Microsoft Windows (Veeam Backup and Replication version 13.0.1 and earlier). An attacker with a low-privilege account on the host can exploit this without any network access or victim interaction, though certain preconditions must align. Successful exploitation gives the attacker full read, write, and availability impact on the local system, including the ability to take control of the host. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-32996 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both third-party and custom-built images in connected registries and CI pipelines. Any image shipping an affected version of Veeam Agent for Microsoft Windows (Backup and Replication up to 13.0.1) will surface as a finding automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.3 (HIGH) using the v4.0 vector from the record, and per-environment compliance policy weighting can elevate or suppress routing priority based on each organization's risk posture. Findings are routed to the appropriate team inbox within each customer org according to configured ownership rules for the affected image or workload.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Veeam advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release is confirmed. In the interim, customers with auto-remediation enabled will receive advisory alerts and can apply compensating controls through HarborGuard's policy engine without waiting for a manual review cycle.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path.
Victim interactionNot required
The exploit runs entirely under the attacker's control with no action required from another user.
Attack complexityDetail
The exploit is generally reliable but requires specific preconditions (AT:P) to be in place, such as a particular system state or configuration, rather than being unconditionally triggerable.

Blast Radius

Reads sensitive data from the local system, including credentials, backup metadata, and configuration files accessible to the elevated process.
Modifies or deletes local files and system configuration, including backup job definitions and stored recovery points managed by Veeam Agent.
Disrupts availability of the local Veeam Agent service and any scheduled backup or restore operations running on the host.
Gains full control of the local Windows host, enabling persistence, lateral movement staging, or destruction of backup data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-32996, HarborGuard continuously re-evaluates the Veeam advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a remediated version of Veeam Agent for Microsoft Windows is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention needed. While no patch is available, recommended compensating controls include applying strict least-privilege policies to accounts that can interact with the Veeam Agent process, using container or host-level security profiles (such as AppArmor or Windows Defender Application Control policies) to restrict the process's capabilities, and isolating backup agent workloads from production application containers where architecture permits. HarborGuard compliance policies can be configured to flag any deployment of an affected image as a policy violation, enabling teams to gate promotions to production until a fix is available.

See how HarborGuard automates this

CVSS v4.0: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Veeam / Backup and Replication
≤ 13.0.1

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

veeam.com