ctipilot.ch

Veeam Software Appliance (Linux) — authenticated Backup Administrator can write arbitrary files (CVSS 8.6)

cve · CVE-2026-32997

Coverage timeline
1
first 2026-05-29 → last 2026-05-31
Peak priority
notable
1 notable
Sources cited
13
9 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-29CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • github.com4 (31%)
  • samba.org2 (15%)
  • ccb.belgium.be1 (8%)
  • cert.ssi.gouv.fr1 (8%)
  • cybersecuritynews.com1 (8%)
  • docs.gitlab.com1 (8%)
  • fortiguard.fortinet.com1 (8%)
  • ibm.com1 (8%)
  • other1 (8%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

External references

NVD · cve.org · CISA KEV

All cited sources (13)

Entries about Veeam Software Appliance (Linux) — authenticated Backup Administrator can write arbitrary files (CVSS 8.6) (1)

2026-05-29 · view entry permalink →

CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance

Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-35616 Fortinet FortiClient EMS 7.4.5–7.4.6 9.1 43.2% Yes (2026-04-06) Yes — EKZ Infostealer EMS 7.4.7 Fortinet PSIRT
CVE-2026-4408 Samba (SAMR RPC) 10.0 n/a No No 4.22.10 / 4.23.8 / 4.24.3 Samba Project
CVE-2026-4480 Samba (print command) 10.0 n/a No No 4.22.10 / 4.23.8 / 4.24.3 Samba Project
CVE-2026-9170 IBM HTTP Server / WebSphere 9.8 0.049% No No APAR PH71265 IBM Security Bulletin
CVE-2026-44939 SUSE Rancher (cluster import) 9.6 n/a No No 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-44848 Portainer CE (Docker plugin endpoints) 9.4 n/a No No 2.33.8 / 2.39.2 / 2.41.0 Portainer GHSA
CVE-2026-44849 Portainer CE (Swarm service bypass) 9.4 n/a No No 2.33.8 / 2.39.2 / 2.41.0 CCB Belgium
CVE-2026-41053 SUSE Rancher (GitHub App auth) 8.8 n/a No No 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-32997 Veeam Backup Linux appliance 8.6 n/a No No version 13.0.2.29 Veeam KB4852
CVE-2026-41052 SUSE Rancher (PSA priv-esc) 8.4 n/a No No 2.12.10 / 2.13.6 / 2.14.2 SUSE GHSA
CVE-2026-4868 GitLab CE/EE (Duo AI) 8.2 n/a No No 19.0.1 / 18.11.4 / 18.10.7 GitLab
CVE-2026-32996 Veeam Windows Agent 7.3 n/a No No version 13.0.2.29 Veeam KB4852
CVE-2026-6713 GitLab CE/EE (project enumeration) 5.3 n/a No No 19.0.1 / 18.11.4 / 18.10.7 GitLab

authenticated user with the Backup Administrator role to write arbitrary files

Veeam KB4852

permits attackers with limited system access to escalate privileges and gain deeper access to enterprise systems

CybersecurityNews
vulnerability29 May 05:00Zmulti-sourceOpen finding ↗