This vulnerability (CVE-2026-32999) affects the Comet Backup server by WebPros. It is caused by insufficient input validation in the backup agent signing module, which permits an authenticated tenant administrator to perform code injection. This results in arbitrary code execution on behalf of a privileged user on the affected server and any connected devices. The CVSS 3.1 score of 9.1 reflects network attack vector, high impact on confidentiality, integrity, and availability, and no user interaction required. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code). No patch or official remediation level has been disclosed at this time.

Successful exploitation allows an authenticated tenant administrator to execute arbitrary code with elevated privileges on the Comet Backup server and connected devices. This can lead to full compromise of the backup infrastructure, including unauthorized access, data manipulation, and disruption of backup services. The critical CVSS score (9.1) indicates a severe risk to confidentiality, integrity, and availability of affected systems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict tenant administrator privileges to trusted personnel only and monitor for suspicious activity related to the backup agent signing module. Follow vendor communications closely for updates on patches or temporary mitigations.