Release Information for Veeam Backup & Replication 13 and Updates

Security

Vulnerabilities

• CVE-2026-32996 | Severity: High (7.3)
  A vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.
• CVE-2026-32997 | Severity: High (8.6)
  A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on a Linux-based Veeam Backup & Replication server (Veeam Software Appliance).

Resolved issues

General

• Removal of the BUILTIN\Administrators group from Users & Roles does not correctly remove permissions from users in that group.
• Veeam Backup & Replication causes excessive logging of Event ID 0.
• The History tab fails to display historical information correctly.

Remote Console

• The Veeam Backup & Replication Console auto-update process fails on systems with non-English locales.
• The Veeam Backup & Replication Console installer downloaded via the Web UI is not at the latest version, requiring additional patching after installation to match the installed server. 
• When the Veeam Backup & Replication Console connects to multiple remote Veeam Backup & Replication deployments at the same version, the auto-update process runs redundantly and connection behavior is inconsistent. (Improved patched-file detection in the Console auto-update process so it correctly identifies already-current installations.)

High Availability

• Creating a high availability cluster may reset the PostgreSQL OOMScoreAdjust setting, increasing the risk of the service being terminated by the operating system under memory pressure.

NFS Repository

• Resetting the NFS share context also resets the NFS directory cache settings configured by the deployment service.

Object Storage Repository

• Checkpoint removal on Azure-based object storage repositories fails with an InvalidQueryParameterValue error when the VersionId parameter is incorrectly set to null.
• Operations with Azure-based Capacity Tier and Archive Tier repositories fail due to the use of a deprecated Microsoft endpoint.

Data Domain Repository

• DDBoost credentials are not properly validated before checking repository availability.
• Multiple repositories backed by the same Data Domain system must share a single set of DDBoost credentials, preventing per-repository credential isolation and separate Storage Unit ownership. 
  (Added support for using multiple DDBoost credentials with a single Data Domain system.)

Enterprise Manager

• Logon to Windows-based Enterprise Manager fails due to a SAML authentication failure.

Microsoft Hyper-V

• Hyper-V replica virtual machines may become unbootable in rare scenarios.
• Orphaned records related to Hyper-V infrastructure objects persist after the underlying objects are removed.
• Guest processing of Windows Server 2025 virtual machines fails.

Unstructured Data Backup

• After a source job in a Backup Copy job is removed, that Backup Copy job fails with the error:

  Unable to find cache settings for server
  

• Backup jobs targeting S3 repositories in Direct connection mode may incorrectly start gateway components on the backup server.

Veeam Agents

• Veeam Agent for Microsoft Windows 13.0.3.1220
  • File-level restore operations using Entra ID accounts may fail, potentially leading to LSASS crashes with InvokerTestConnection errors.
• Veeam Agent for Linux 13.0.2.2
  • Veeam Agent for Linux cannot be installed on x86_64 distributions of RHEL 9.8, RHEL 10.2, or Ubuntu 26.04 LTS. (Added platform support for x86_64 distributions of RHEL 9.8, RHEL 10.2, and Ubuntu 26.04 LTS.)   
• Veeam Agent for IBM AIX 13.0.2.2108
• Veeam Agent for Oracle Solaris 13.0.2.2108
  • ZFS enumeration may cause a segmentation error on Veeam Agent deployments running on SPARC systems.

File-Level Restore

• Helper appliance settings are resolved based on the backup service account instead of the user initiating the file-level restore session.

13.0.1.2067

2026-03-12

Security

Vulnerabilities

• CVE-2026-21669 | Severity: Critical (9.9)
  A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
• CVE-2026-21670 | Severity: High (7.7)
  A vulnerability allowing a low-privileged user to extract saved SSH credentials.
• CVE-2026-21671 | Severity: Critical (9.1)
  A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.
• CVE-2026-21672 | Severity: High (8.8)
  A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
• CVE-2026-21708 | Severity: Critical (9.9)
  A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Third-Party Component Vulnerabilities

• CVE-2026-31431 | Severity: High (7.8) | Commonly known as Copy Fail

New features and enhancements

Veeam Data Cloud Vault

• Backup server authorization now communicates directly with Veeam Data Cloud (VDC), removing the need to be a License Admin. Now, any user with the right VDC permissions can register a server.
• The Web UI registration process has been improved and is now code-based: the backup server generates a registration code, which is entered into the VDC portal. This replaces the previous redirect-based authentication method to improve security.

General

• Improved the Support Log bundle collection tool to more efficiently identify and collect relevant log files needed by support. The net result is that log bundles are now significantly smaller.

Resolved issues

General

• Importing a backup from a Windows SMB share may fail when specifying the full path to a .vbk file, with the error:

  Failed to create LinuxAbsolutePath from <path>. Reason: An absolute path in Linux must begin with the root (/) character. (Parameter 'value')
  

• When updating RHEL infrastructure servers with the DISA STIG profile enabled, the public GPG key used to validate Veeam packages will be updated as well.
  To ensure a smooth update for these systems, it's recommended to temporarily disable the fapolicyd service (if it's in use) during the update.
• Fixed an issue where the Veeam vSphere vCenter plugin could fail to initialize and return an HTTP 404 error.
• Increased the default Service Version Timeout to 120 seconds to reduce timeout‑related failures.

Scale-Out Backup Repository

• Exporting backups to a Scale-Out Backup Repository with an NFS-based performance extent may fail when a retention period is specified.

Object Storage Repository

• When backing up to an object storage repository in direct connection mode, the backup server may be incorrectly selected as the gateway server even when other backup proxy servers are available, which can impact performance.

Application Plug-ins

• Application plug-in installation may fail with a "no digest" error when using the .rpm package on an OS with FIPS mode enabled.
• A "hostname mismatch" error occurs when the plug-in connects to VBR using a custom self-signed certificate.
• An "Unable to get local issuer certificate" error occurs when the plug-in connects to VBR using a certificate signed by an internal CA.
• When using centralized plug-in management for Oracle RMAN, Microsoft SQL Server, SAP HANA, or SAP on Oracle, the default backup operator role does not have permission to manage the application backup policy.

Unstructured Data Backup

• Unstructured Data Backup policies targeting a Hardened Repository may fail when the policy name contains special characters, with the error:

  Failed to create NAS backup storage
  

Primary Storage

• Backup jobs using IBM FlashSystem storage snapshots as a source may complete with a Warning status when Volume Protection mode is enabled on the array.
• Dell PowerStore USAPI plug-in fails to connect after upgrading to version 13.0.1 due to an exception caused by an SSL/TLS settings mismatch, causing the error:

  Could not establish trust relationship for the SSL/TLS secure channel
  

• Long-running operations with storage systems could be prematurely canceled due to the default 100-second HTTP client timeout.

Restore to Microsoft Azure

• Restoring a Windows-based machine to Microsoft Azure may result in a non-bootable VM. The restore session log contains the following warning:

  vdmount::CVhdMounter::Mount: step = 5, error = 1392: 00000570
  

Veeam Agents 

• Veeam Agent for Microsoft Windows 13.0.2.1102 
• Veeam Agent for Linux 13.0.1.404
  • Creating an S3-compatible object storage repository may fail on certain S3-compatible storage systems if the endpoint returns HTTP 503 (Service Unavailable) during the connection test.
• Veeam Agent for Mac  13.0.1.402
  • Creating an S3-compatible object storage repository may fail on certain S3-compatible storage systems if the endpoint returns HTTP 503 (Service Unavailable) during the connection test.

File-Level Restore

• Other OS file-level restore (FLR) mounts may take an excessive amount of time when many preferred networks are configured. To work around this issue, configure the preferred IP address used by the mount server to connect to the backup repository by creating the following registry value on the backup server:
  
  Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
  Value Name: FlrMountPreferredIp
  Value Type: String Value (REG_SZ)
  Value Data: <IP address>

Tape

• Multiple related issues were fixed, resulting in a significantly improved UI experience

Microsoft Entra ID

• Adding a Microsoft Entra ID tenant and running Microsoft Entra ID backup jobs may fail in environments where Internet access is available only through an HTTP/HTTPS proxy (proxy settings are not applied).

Veeam Cloud Connect

• Cloud Connect service may experience excessive memory consumption when a service provider uses a datastore cluster as a target for replication jobs
• Backup configuration jobs targeting an object storage repository fail with the error:

  Job session with id ‘<id>’ was not found (System.Exception).
  

Web UI

• Veeam Intelligence fails to open when multi-factor authentication (MFA) is enabled.

13.0.1.1071

2026-01-06

Security

Vulnerabilities

• CVE-2025-55125 | Severity: High (7.2)
  This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.
• CVE-2025-59468 | Severity: Medium (6.7)
  This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.
• CVE-2025-59469 | Severity: High (7.2)
  This vulnerability allows a Backup or Tape Operator to write files as root.
• CVE-2025-59470 | Severity: High (9.0)
  This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Post-Release Live Updates

Important features and fixes that were pushed to Veeam Software Appliances via the live-update system.

• Improvements to the archive log file management. A new cron job runs hourly to help eliminate older diagnostic log files when the volume storing the Veeam logs exceeds 90% capacity.

Resolved issues

General

• Excessive audit failure events are generated within the Windows Event Log during normal operation of the Veeam.Backup.IdentityService.exe process.

Microsoft Hyper-V

• During guest interaction proxy selection, the Hyper-V host is skipped, resulting in the Veeam Backup Server being used instead.
• Hyper-V replication jobs fail during incremental runs with the error:

  hexadecimal value 0x00, is an invalid character.
  

• The replication job wizard does not save custom destination paths after editing, causing the destination path to reset to the default value instead of retaining the user-defined path.
• When attempting to add network mapping for a replication job to a Cloud Connect target, the process fails with the following error:

  Unable to cast object of type 'Veeam.Backup.Common.CCloudNetworkInfo' to type 'Veeam.Backup.Common.CHvSwitchInfo'. (System.InvalidCastException)
  

• Editing a standalone Hyper‑V host fails with the error:

  Creating configuration database records. Error: Host [] does not exist in database
  

  or
  

  Unable to cast object of type 'System.DBNull' to type 'System.String'
  

Guest processing

• Backup jobs for Linux VMs fail with the following error when application-aware processing is disabled and indexing is enabled:

  Cannot find Linux guest credentials.
  

Unstructured data

• Copy Backup and Health Check sessions cannot be stopped once initiated.
• The Get-VBRUnstructuredBackupFLRItem -Recurse PowerShell cmdlet intermittently fails to return all items.
• Old backups fail to be imported with the errors:

  Attempted to divide by zero
  

  and
  

  Failed to deserialize long-term meta
  

• It is impossible to create a new directory in an Instant Recovery share when using Samba server version 4.22.4 on the Linux mount server.

Veeam Agent for Windows 13.0.1.1009

• The Veeam Agent for Windows executable setup incorrectly blocked installation on Windows 10 21H2 LTSC IoT.
• An unexpected synthetic full backup is triggered during a scheduled job launch of Veeam Agent for Windows, even if no previous backup sessions were missed.
• After encryption is enabled, local backup chain transformation, after a Health Check, fails with the error:

  FOREIGN KEY constraint failed
  

Veeam Agent for Linux 13.0.1.203

• Added compatibility for RHEL 9.7 & 10.1, Rocky Linux 9.7 & 10.1, AlmaLinux 9.7 & 10.1, and SLES 16.0 Linux distributions.

Object Storage Repository

• The immutability setting [For the minimum immutability duration only] was not correctly enforced for GFS backups, resulting in longer-than-intended immutability periods.
  
  Note: This update corrects the enforcement. To avoid unexpectedly shortening immutability for existing GFS backups, all existing object storage repositories will be automatically set to: [For the entire duration of their retention policy]. New repositories will not be affected. Backup administrators can revert existing repositories to [For the minimum immutability duration only] after reviewing which restore points will be impacted by the corrected behavior.

Tape

• The Online and Offline subfolders for Media in the Tape Infrastructure node are missing.
• Changes to the state of the Archive Incremental checkbox are not saved after editing and closing the backup to tape job.
• The "This day" option for a monthly schedule cannot be set correctly, and the selected months are not applied.
• File backup to tape jobs hang during incremental backup operations.
• Tenant restore from tape fails with the error:

  Cannot find full backup.
  

• Multiple yearly storages are missing under Backups → Tape in the console, despite being displayed correctly under tape properties.

Veeam Plug-In for Kasten

• K10 instances cannot be edited or rescanned after upgrading from version 12.3 to 13.0.1.
• Sync failed after upgrading from version 12.3 to 13.0.1 when K10 instances have certain specific policies configured.

Microsoft EntraID

• Starting a Microsoft Entra ID restore from an encrypted backup after upgrading from version 12.3.2 to 13.0.1 results in the error:

  Cannot find Microsoft Entra ID backup repository for the backup custom EntraID job.
  

Cloud Connect

• The license report for Cloud Connect providers incorrectly displays 0 points for tenant consumption.
• Datastore Cluster cannot be selected as a storage within a VMware Hardware Plan wizard.