How is CVE-2026-32997 exploited?

Network reachability (required): The attacker must reach the Veeam Backup and Replication server over the network to deliver the exploit. Authentication (required): A valid account holding the Backup Administrator role is required; unauthenticated access is not sufficient. Victim interaction (not-required): No action from any other user or administrator is needed to complete the attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

What is the impact of CVE-2026-32997?

The attacker can write arbitrary files anywhere on the Linux host, enabling overwrite of system binaries, configuration files, or SSH authorized keys. With control over file contents, the attacker can plant a malicious executable or cron entry and escalate to persistent remote code execution on the backup server. Because backup servers typically hold credentials and data for many connected workloads, a compromised server exposes the confidentiality and integrity of all backup data stored on or accessible from that host. The VA:H token indicates the attacker can also crash or destabilize the service, causing backup operations to fail and leaving protected workloads without a recent recovery point.

Back to search

HIGHCVE-2026-32997Published 2026-05-28Modified 2026-05-29CNA hackerone

CVE-2026-32997: A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An arbitrary file write vulnerability affects Linux-based Veeam Backup and Replication servers at version 13.0.1 and earlier. An attacker must authenticate with a Backup Administrator account and reach the server over the network, but once they do they can write arbitrary files to the underlying Linux host. Successful exploitation gives the attacker full control over file contents on the server, which can be leveraged to overwrite critical system files, plant malicious binaries, or achieve remote code execution. No patched version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-32997 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Veeam Backup and Replication components. Any image carrying an affected version of the software is flagged automatically as part of each registry and pipeline scan.

Available

Triage

Triage is available with a CVSS v4.0 score of 8.6 (HIGH), surfaced alongside per-environment compliance policy weighting so each customer organization can calibrate urgency against their own risk thresholds. Findings are routed to the appropriate inbox within each customer org based on policy-defined ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available immediately once an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Veeam Backup and Replication server over the network to deliver the exploit.
AuthenticationRequired
A valid account holding the Backup Administrator role is required; unauthenticated access is not sufficient.
Victim interactionNot required
No action from any other user or administrator is needed to complete the attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

Blast Radius

The attacker can write arbitrary files anywhere on the Linux host, enabling overwrite of system binaries, configuration files, or SSH authorized keys.
With control over file contents, the attacker can plant a malicious executable or cron entry and escalate to persistent remote code execution on the backup server.
Because backup servers typically hold credentials and data for many connected workloads, a compromised server exposes the confidentiality and integrity of all backup data stored on or accessible from that host.
The VA:H token indicates the attacker can also crash or destabilize the service, causing backup operations to fail and leaving protected workloads without a recent recovery point.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-32997 as of the publication date, HarborGuard continuously re-checks the Veeam advisory on every ingest cycle and will trigger a patched-image rebuild the moment an upstream fix is published. For customers who opt into auto-remediation, that rebuild will be followed automatically by a regression-test run and a PR opened against affected workloads. While waiting for an upstream patch, compensating controls worth evaluating include restricting network access to the Veeam server using container or host-level network policy (limiting which source IPs can reach the management interface), auditing which accounts hold the Backup Administrator role and revoking any that are unnecessary, and enabling file-integrity monitoring on the Linux host to detect unexpected writes. HarborGuard will surface the patched rebuild and update the finding status automatically, with no manual re-scan required.

See how HarborGuard automates this

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Veeam / Backup and Replication
≤ 13.0.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

veeam.com