CVEs showing up for VBR 12.3.2.4465

[jackal2001]

We use a 3rd party solution to scan for vulnerabilities called Action1. We installed the 12.3.2.4465 patch on top of 12.3.2.4165 which went fine back on 3/13/26.
Action1 is reporting these CVEs which may have been resolved in the latest patch for ver13 of VBR, but are they applicable for version 12? If these have been resolved in 12.3.2.4465, can you please point me to documentation stating so which would be needed for our compensating controls. Thanks.

CVE-2026-21669, CVSS Score: 9.9, Published Date: 3/12/2026, Vulnerable Software: VBR ver. 12.3.2.4465

CVE-2026-21670, CVSS Score: 7.7, Published Date: 3/12/2026, Vulnerable Software: VBR ver. 12.3.2.4465

[Mildur]

Hi Jason,

Veeam Backup & Replication v12 is not affected by these two vulnerabilities. Only v13 is.

We list the relevant Veeam Backup & Replication builds and affected vulnerabilities in these KB articles:
V12: https://www.veeam.com/kb4830
V13: https://www.veeam.com/kb4831

Best,
Fabian

[jackal2001]

Yes I did see those documents, however I'm wondering why Action1 is reporting those CVEs for ver 12.3.2.4465. It is also showing those CVEs are applicable to our other servers running just the management console, which have also been upgraded automatically after the patch was applied upon first launch. I guess we'll just have to document those are false positives and not applicable to ver 12 of VBR.

[Mildur]

I’m not sure how Action1 determines which CVEs are applicable. Perhaps Action1 has flagged in their system that CVE-2026-21669 and CVE-2026-21670 require v13.0.1.2067 to be installed? Since it can only see that v12.3.2.4465 is installed during the scan, it may report the system as affected.

I recommend reaching out to their support team. You can also share our KB articles with them.

Best regards,
Fabian

[jackal2001]

Thank you for the prompt response.

[jackal2001]

I’m not sure how Action1 determines which CVEs are applicable. Perhaps Action1 has flagged in their system that CVE-2026-21669 and CVE-2026-21670 require v13.0.1.2067 to be installed? Since it can only see that v12.3.2.4465 is installed during the scan, it may report the system as affected.

I recommend reaching out to their support team. You can also share our KB articles with them.

Best regards,
Fabian

Fabian,
I received this information back from Action1 support:

To verify specific CVEs, you can check if they are visible at https://nvd.nist.gov/search and https://console.vulncheck.com/.

For example, for CVE-2026-21669, you can view it directly in VulnCheck here: https://console.vulncheck.com/cve/CVE-2026-21669 or under details for a specific CVE in Action1. This CVE indicates that all versions earlier than 13.0.1 are affected.

The vendor likely needs to provide the correct information to VulnCheck and update the data to ensure accuracy.

[Mildur]

Thanks, I will double check the shared links together with our security teams.

Best,
Fabian

[jackal2001]

Any update on this?

[Mildur]

Hi Jason

Yes, we are looking into it.
Our Product Security team confirmed again that only Veeam Backup & Replication v13 is affected by CVE-2026-21669 and CVE-2026-21670. Our official KB documentation mentioned earlier in this topic is correct.

They are working to provide the correct information to VulnCheck, but it may take some time until this is corrected on VulnCheck.

Best,
Fabian