A documented flaw in Veeam Backup & Replication's high‑availability configuration allows an authenticated user with a Backup Administrator role to trigger remote code execution. The vulnerability is classified as a code injection flaw (CWE‑94). If exploited, the attacker can run arbitrary commands with the privileges of the backup appliance, potentially compromising the entire backup infrastructure and any protected data it holds. This can lead to full system compromise, data loss, or malicious data exfiltration.

The issue affects Veeam backup appliances running the Veeam Backup & Replication suite used in high‑availability deployments. The vendor product listed is Veeam Software Appliance, but no specific version ranges are supplied in the public advisory. Administrators should verify whether their environment includes a HA configuration and refer to the official Veeam knowledge base article for details on affected releases.

The CVSS score of 9.1 denotes a high severity flaw, but the EPSS score indicates that exploitation is currently considered unlikely (less than 1% probability), and the vulnerability is not yet recorded in the CISA KEV catalog. Attackers would need valid backup‑administrator credentials and network access to the HA component. Once authenticated, exploitation can be performed over the network, so protecting administrative accounts and restricting exposure of the backup appliance remains critical.