Home · Briefs · CTI Daily Brief — 2026-05-29
CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
From CTI Daily Brief — 2026-05-29 · published 2026-05-29
Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-35616 | Fortinet FortiClient EMS 7.4.5–7.4.6 | 9.1 | 43.2% | Yes (2026-04-06) | Yes — EKZ Infostealer | EMS 7.4.7 | Fortinet PSIRT |
| CVE-2026-4408 | Samba (SAMR RPC) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | Samba Project |
| CVE-2026-4480 | Samba (print command) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | Samba Project |
| CVE-2026-9170 | IBM HTTP Server / WebSphere | 9.8 | 0.049% | No | No | APAR PH71265 | IBM Security Bulletin |
| CVE-2026-44939 | SUSE Rancher (cluster import) | 9.6 | n/a | No | No | 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-44848 | Portainer CE (Docker plugin endpoints) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | Portainer GHSA |
| CVE-2026-44849 | Portainer CE (Swarm service bypass) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | CCB Belgium |
| CVE-2026-41053 | SUSE Rancher (GitHub App auth) | 8.8 | n/a | No | No | 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-32997 | Veeam Backup Linux appliance | 8.6 | n/a | No | No | version 13.0.2.29 | Veeam KB4852 |
| CVE-2026-41052 | SUSE Rancher (PSA priv-esc) | 8.4 | n/a | No | No | 2.12.10 / 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-4868 | GitLab CE/EE (Duo AI) | 8.2 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | GitLab |
| CVE-2026-32996 | Veeam Windows Agent | 7.3 | n/a | No | No | version 13.0.2.29 | Veeam KB4852 |
| CVE-2026-6713 | GitLab CE/EE (project enumeration) | 5.3 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | GitLab |