Release Information for Veeam Backup & Replication 13 and Updates

13.0.1.2067

2026-03-12

Security

Vulnerabilities

• CVE-2026-21669 | Severity: Critical (9.9)
  A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server.
• CVE-2026-21670 | Severity: High (7.7)
  A vulnerability allowing a low-privileged user to extract saved SSH credentials.
• CVE-2026-21671 | Severity: Critical (9.1)
  A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.
• CVE-2026-21672 | Severity: High (8.8)
  A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
• CVE-2026-21708 | Severity: Critical (9.9)
  A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Resolved issues

General

• Importing a backup from a Windows SMB share may fail when specifying the full path to a .vbk file, with the error:

  Failed to create LinuxAbsolutePath from <path>. Reason: An absolute path in Linux must begin with the root (/) character. (Parameter 'value')
  

• When updating RHEL infrastructure servers with the DISA STIG profile enabled, the public GPG key used to validate Veeam packages will be updated as well.
  To ensure a smooth update for these systems, it's recommended to temporarily disable the fapolicyd service (if it's in use) during the update.
• Fixed an issue where the Veeam vSphere vCenter plugin could fail to initialize and return an HTTP 404 error.
• Increased the default Service Version Timeout to 120 seconds to reduce timeout‑related failures.

Scale-Out Backup Repository

• Exporting backups to a Scale-Out Backup Repository with an NFS-based performance extent may fail when a retention period is specified.

Object Storage Repository

• When backing up to an object storage repository in direct connection mode, the backup server may be incorrectly selected as the gateway server even when other backup proxy servers are available, which can impact performance.

Application Plug-ins

• Application plug-in installation may fail with a "no digest" error when using the .rpm package on an OS with FIPS mode enabled.
• A "hostname mismatch" error occurs when the plug-in connects to VBR using a custom self-signed certificate.
• An "Unable to get local issuer certificate" error occurs when the plug-in connects to VBR using a certificate signed by an internal CA.
• When using centralized plug-in management for Oracle RMAN, Microsoft SQL Server, SAP HANA, or SAP on Oracle, the default backup operator role does not have permission to manage the application backup policy.

Unstructured Data Backup

• Unstructured Data Backup policies targeting a Hardened Repository may fail when the policy name contains special characters, with the error:

  Failed to create NAS backup storage
  

Primary Storage

• Backup jobs using IBM FlashSystem storage snapshots as a source may complete with a Warning status when Volume Protection mode is enabled on the array.
• Dell PowerStore USAPI plug-in fails to connect after upgrading to version 13.0.1 due to an exception caused by an SSL/TLS settings mismatch, causing the error:

  Could not establish trust relationship for the SSL/TLS secure channel
  

• Long-running operations with storage systems could be prematurely canceled due to the default 100-second HTTP client timeout.

Restore to Microsoft Azure

• Restoring a Windows-based machine to Microsoft Azure may result in a non-bootable VM. The restore session log contains the following warning:

  vdmount::CVhdMounter::Mount: step = 5, error = 1392: 00000570
  

Veeam Agents 

• Veeam Agent for Microsoft Windows 13.0.2.1102 
• Veeam Agent for Linux 13.0.1.404
  • Creating an S3-compatible object storage repository may fail on certain S3-compatible storage systems if the endpoint returns HTTP 503 (Service Unavailable) during the connection test.
• Veeam Agent for Mac  13.0.1.402
  • Creating an S3-compatible object storage repository may fail on certain S3-compatible storage systems if the endpoint returns HTTP 503 (Service Unavailable) during the connection test.

File-Level Restore

• Other OS file-level restore (FLR) mounts may take an excessive amount of time when many preferred networks are configured. To work around this issue, configure the preferred IP address used by the mount server to connect to the backup repository by creating the following registry value on the backup server:
  
  Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
  Value Name: FlrMountPreferredIp
  Value Type: String Value (REG_SZ)
  Value Data: <IP address>

Tape

• Multiple related issues were fixed, resulting in a significantly improved UI experience

Microsoft Entra ID

• Adding a Microsoft Entra ID tenant and running Microsoft Entra ID backup jobs may fail in environments where Internet access is available only through an HTTP/HTTPS proxy (proxy settings are not applied).

Veeam Cloud Connect

• Cloud Connect service may experience excessive memory consumption when a service provider uses a datastore cluster as a target for replication jobs
• Backup configuration jobs targeting an object storage repository fail with the error:

  Job session with id ‘<id>’ was not found (System.Exception).
  

Web UI

• Veeam Intelligence fails to open when multi-factor authentication (MFA) is enabled.

13.0.1.1071

2026-01-06

Security

Vulnerabilities

• CVE-2025-55125 | Severity: High (7.2)
  This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.
• CVE-2025-59468 | Severity: Medium (6.7)
  This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.
• CVE-2025-59469 | Severity: High (7.2)
  This vulnerability allows a Backup or Tape Operator to write files as root.
• CVE-2025-59470 | Severity: High (9.0)
  This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Post-Release Live Updates

Important features and fixes that were pushed to Veeam Software Appliances via the live-update system.

• Improvements to the archive log file management. A new cron job runs hourly to help eliminate older diagnostic log files when the volume storing the Veeam logs exceeds 90% capacity.

Resolved issues

General

• Excessive audit failure events are generated within the Windows Event Log during normal operation of the Veeam.Backup.IdentityService.exe process.

Microsoft Hyper-V

• During guest interaction proxy selection, the Hyper-V host is skipped, resulting in the Veeam Backup Server being used instead.
• Hyper-V replication jobs fail during incremental runs with the error:

  hexadecimal value 0x00, is an invalid character.
  

• The replication job wizard does not save custom destination paths after editing, causing the destination path to reset to the default value instead of retaining the user-defined path.
• When attempting to add network mapping for a replication job to a Cloud Connect target, the process fails with the following error:

  Unable to cast object of type 'Veeam.Backup.Common.CCloudNetworkInfo' to type 'Veeam.Backup.Common.CHvSwitchInfo'. (System.InvalidCastException)
  

• Editing a standalone Hyper‑V host fails with the error:

  Creating configuration database records. Error: Host [] does not exist in database
  

  or
  

  Unable to cast object of type 'System.DBNull' to type 'System.String'
  

Guest processing

• Backup jobs for Linux VMs fail with the following error when application-aware processing is disabled and indexing is enabled:

  Cannot find Linux guest credentials.
  

Unstructured data

• Copy Backup and Health Check sessions cannot be stopped once initiated.
• The Get-VBRUnstructuredBackupFLRItem -Recurse PowerShell cmdlet intermittently fails to return all items.
• Old backups fail to be imported with the errors:

  Attempted to divide by zero
  

  and
  

  Failed to deserialize long-term meta
  

• It is impossible to create a new directory in an Instant Recovery share when using Samba server version 4.22.4 on the Linux mount server.

Veeam Agent for Windows 13.0.1.1009

• The Veeam Agent for Windows executable setup incorrectly blocked installation on Windows 10 21H2 LTSC IoT.
• An unexpected synthetic full backup is triggered during a scheduled job launch of Veeam Agent for Windows, even if no previous backup sessions were missed.
• After encryption is enabled, local backup chain transformation, after a Health Check, fails with the error:

  FOREIGN KEY constraint failed
  

Veeam Agent for Linux 13.0.1.203

• Added compatibility for RHEL 9.7 & 10.1, Rocky Linux 9.7 & 10.1, AlmaLinux 9.7 & 10.1, and SLES 16.0 Linux distributions.

Object Storage Repository

• The immutability setting [For the minimum immutability duration only] was not correctly enforced for GFS backups, resulting in longer-than-intended immutability periods.
  
  Note: This update corrects the enforcement. To avoid unexpectedly shortening immutability for existing GFS backups, all existing object storage repositories will be automatically set to: [For the entire duration of their retention policy]. New repositories will not be affected. Backup administrators can revert existing repositories to [For the minimum immutability duration only] after reviewing which restore points will be impacted by the corrected behavior.

Tape

• The Online and Offline subfolders for Media in the Tape Infrastructure node are missing.
• Changes to the state of the Archive Incremental checkbox are not saved after editing and closing the backup to tape job.
• The "This day" option for a monthly schedule cannot be set correctly, and the selected months are not applied.
• File backup to tape jobs hang during incremental backup operations.
• Tenant restore from tape fails with the error:

  Cannot find full backup.
  

• Multiple yearly storages are missing under Backups → Tape in the console, despite being displayed correctly under tape properties.

Veeam Plug-In for Kasten

• K10 instances cannot be edited or rescanned after upgrading from version 12.3 to 13.0.1.
• Sync failed after upgrading from version 12.3 to 13.0.1 when K10 instances have certain specific policies configured.

Microsoft EntraID

• Starting a Microsoft Entra ID restore from an encrypted backup after upgrading from version 12.3.2 to 13.0.1 results in the error:

  Cannot find Microsoft Entra ID backup repository for the backup custom EntraID job.
  

Cloud Connect

• The license report for Cloud Connect providers incorrectly displays 0 points for tenant consumption.
• Datastore Cluster cannot be selected as a storage within a VMware Hardware Plan wizard.