This vulnerability (CVE-2026-21671) affects Veeam Backup & Replication Software Appliance version 13.0.1 in high availability configurations. It permits an authenticated user holding the Backup Administrator role to execute arbitrary code remotely, potentially compromising the system. The CVSS 3.1 base score is 9.1, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The weakness is categorized under CWE-693. No official patch or fix information is currently available from the vendor.

Successful exploitation allows a Backup Administrator to execute arbitrary code remotely on the affected appliance, which can lead to full system compromise, including loss of confidentiality, integrity, and availability of backup data and systems. This could severely disrupt backup operations and potentially enable further attacks within the environment.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Backup Administrator role assignments to trusted personnel only and monitor for unusual activity related to backup appliance access. Follow vendor communications closely for official patches or temporary mitigations.