ctipilot.ch

Veeam Software Appliance (Linux) — authenticated Backup Administrator can write arbitrary files (CVSS 8.6)

cve · CVE-2026-32997

Coverage timeline
1
first 2026-05-29 → last 2026-05-29
Briefs
1
1 distinct
Sources cited
4
4 hosts
Sections touched
0
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-29CTI Daily Brief — 2026-05-29

Source distribution

  • cert.ssi.gouv.fr1 (25%)
  • cybersecuritynews.com1 (25%)
  • veeam.com1 (25%)
  • docs.gitlab.com1 (25%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (4)

Items in briefs about Veeam Software Appliance (Linux) — authenticated Backup Administrator can write arbitrary files (CVSS 8.6) (1)

CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-35616 Fortinet FortiClient EMS 7.4.5–7.4.6 9.1 43.2% Yes (2026-04-06) Yes — EKZ Infostealer EMS 7.4.7 Fortinet PSIRT
CVE-2026-4408 Samba (SAMR RPC) 10.0 n/a No No 4.22.10 / 4.23.8 / 4.24.3 Samba Project
CVE-2026-4480 Samba (print command) 10.0 n/a No No 4.22.10 / 4.23.8 / 4.24.3 Samba Project
CVE-2026-9170 IBM HTTP Server / WebSphere 9.8 0.049% No No APAR PH71265 IBM Security Bulletin
CVE-2026-44939 SUSE Rancher (cluster import) 9.6 n/a No No 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-44848 Portainer CE (Docker plugin endpoints) 9.4 n/a No No 2.33.8 / 2.39.2 / 2.41.0 Portainer GHSA
CVE-2026-44849 Portainer CE (Swarm service bypass) 9.4 n/a No No 2.33.8 / 2.39.2 / 2.41.0 CCB Belgium
CVE-2026-41053 SUSE Rancher (GitHub App auth) 8.8 n/a No No 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-32997 Veeam Backup Linux appliance 8.6 n/a No No version 13.0.2.29 Veeam KB4852
CVE-2026-41052 SUSE Rancher (PSA priv-esc) 8.4 n/a No No 2.12.10 / 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-4868 GitLab CE/EE (Duo AI) 8.2 n/a No No 19.0.1 / 18.11.4 / 18.10.7 GitLab
CVE-2026-32996 Veeam Windows Agent 7.3 n/a No No version 13.0.2.29 Veeam KB4852
CVE-2026-6713 GitLab CE/EE (project enumeration) 5.3 n/a No No 19.0.1 / 18.11.4 / 18.10.7 GitLab