Description
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
Published: 2026-03-12
Score: 10 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Veeam Backup and Recovery’s Backup Viewer enables an attacker to execute arbitrary code with the privileges of the postgres user. This gives potential control over the PostgreSQL database service and could compromise database integrity, confidentiality, and availability.

Affected Systems

The vulnerability impacts any deployment of Veeam Backup and Recovery that includes the Backup Viewer component. Specific product versions are not disclosed, so all installations that use this feature remain potentially exposed until a fix is applied.

Risk and Exploitability

The CVSS score of 10 reflects maximum severity, while the EPSS score of 1% indicates a low likelihood of current exploitation. The absence from the CISA KEV catalog does not lessen the risk, as the high score demands urgent attention. The most likely exploitation path is through remote access to the Backup Viewer interface, where an attacker can supply crafted input to trigger code execution as the postgres user. Once executed, the attacker could gain further access or persist within the system.

Generated by OpenCVE AI on March 27, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Veeam updates as described in the official KB articles at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831.
  • If a patch cannot be applied immediately, restrict or disable the Backup Viewer service to limit exposure to trusted administrators.
  • Maintain strict access controls and monitor PostgreSQL logs for anomalous activity that might indicate exploitation attempts.
  • Review and enforce least‑privilege access for users interacting with the Backup Viewer.

Generated by OpenCVE AI on March 27, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Veeam Backup Viewer RCE via Postgres User
Weaknesses CWE-20
CWE-94

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Veeam
Veeam backup And Recovery
Vendors & Products Veeam
Veeam backup And Recovery

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Veeam Backup And Recovery
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-13T03:55:48.114Z

Reserved: 2026-01-04T15:00:06.573Z

Link: CVE-2026-21708

cve-icon Vulnrichment

Updated: 2026-03-12T17:28:02.623Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T17:16:36.683

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-21708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:16Z

Weaknesses