CVE-2026-21670 is a vulnerability identified in Veeam Backup and Replication version 13.0.1 that permits a low-privileged user to extract saved SSH credentials stored by the application. The vulnerability is classified with a CVSS 3.1 score of 7.7, reflecting a high severity primarily due to the confidentiality impact. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L) and only low privileges (PR:L), with no user interaction (UI:N) needed. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. The vulnerability does not impact integrity or availability but allows an attacker to obtain sensitive SSH credentials, which could be leveraged to escalate privileges or move laterally within an environment. The vulnerability was reserved in early 2026 and published in March 2026, with no known exploits in the wild or patches currently available. The lack of patches necessitates immediate compensating controls to prevent exploitation. The vulnerability arises from improper protection of stored SSH credentials within the backup software, which is critical as Veeam Backup and Replication is widely used for enterprise data protection and disaster recovery. Attackers exploiting this flaw could gain unauthorized access to systems managed via SSH, potentially compromising broader network segments.

The primary impact of CVE-2026-21670 is the compromise of confidentiality through unauthorized disclosure of SSH credentials. This can lead to unauthorized access to critical systems, enabling attackers to perform lateral movement, escalate privileges, or exfiltrate sensitive data. Although the vulnerability does not directly affect system integrity or availability, the stolen credentials can be used to launch further attacks that may disrupt operations or corrupt data. Organizations relying on Veeam Backup and Replication for data protection could face significant operational risks if attackers leverage this vulnerability to access backup infrastructure or production systems. The ease of exploitation (low complexity, no user interaction) and network accessibility increase the threat level, especially in environments where multiple users have low privileges on backup servers. The absence of known exploits currently provides a window for proactive defense, but the potential for rapid exploitation once public proof-of-concept code appears is high. This vulnerability is particularly critical for organizations with complex IT environments that depend on SSH for secure management and automation.

1. Immediately restrict network access to Veeam Backup and Replication servers to trusted administrators only, using network segmentation and firewall rules. 2. Audit and minimize the number of users with low privileges on backup servers to reduce the attack surface. 3. Review and secure SSH credential storage, including encryption and access controls, to prevent unauthorized extraction. 4. Monitor logs and network traffic for unusual access patterns or attempts to access credential stores. 5. Implement multi-factor authentication (MFA) for all administrative access to backup infrastructure to reduce the risk of credential misuse. 6. Prepare for rapid deployment of official patches once released by Veeam, and subscribe to vendor security advisories for updates. 7. Consider temporary disabling or limiting features that store SSH credentials within the backup software if feasible. 8. Conduct internal penetration testing focused on credential extraction vectors to identify and remediate weaknesses. 9. Educate administrators and users about the risks of credential exposure and enforce strict credential hygiene policies.