Scaner-VSvulnerability catalog · v4.2

Home Catalog Sources CWE CAPEC ATT&CK Mitigations Products Vendors Docs

← Back to List

nvd,anchore_overrides

Veeam

Vulnerabilities

85

Known exploited

4

Critical

24

High

41

Top products

Veeam Backup \& Replication48 One14 Veeam Service Provider Console9 One Reporter3 Recovery Orchestrator3 Veeam Agent For Windows3 Disaster Recovery Orchestrator2 One Firmware2 Availability Orchestrator1 Backup1 Management Pack1 Veeam1 Veeam Availability Suite1 Veeam Backup For Google Cloud1 Veeam Backup For Microsoft Azure1

Top vulnerabilities

CVE-2026-21708A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

CVE-2026-21669A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.

CVE-2025-48983A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.

CVE-2024-42448From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

CVE-2024-39714A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server.

CVE-2024-38650An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server.

CVE-2024-29212Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

CVE-2025-55125This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.

CVE-2024-40711A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

CVE-2024-29849Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

CVE-2023-38547A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

CVE-2022-43549Improper authentication in Veeam Backup for Google Cloud v1.0 and v3.0 allows attackers to bypass authentication mechanisms.

CVE-2022-26501Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

CVE-2021-35971Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting.

CVE-2020-10915This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.

CVE-2020-10914This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PerformHandshake method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10400.

CVE-2026-44963A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

CVE-2026-32998This vulnerability in Veeam Service Provider Console allows for remote code execution.

CVE-2026-21671A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

CVE-2025-59468This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.

CVE-2025-59470This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

CVE-2025-59469This vulnerability allows a Backup or Tape Operator to write files as root.

CVE-2025-23114A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.

CVE-2024-29855Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator

CVE-2026-21672A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

Open in catalog with vendor filter →