Veeam Backup & Replication ↗
Veeam · Infrastructure
100/100 Healthy
Summary iPlain-English security verdict for Veeam Backup & Replication, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Veeam Backup & Replication currently scores 100/100 — healthy. 4 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2023-27532) — staying on the latest supported version keeps you clear of them. The latest supported release is 13.0.2.29. It's on the latest patch with no significant known issues — keep it current.
Disclosure trend iNew CVEs published for Veeam Backup & Replication each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
⚠ 4 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2023-27532 HIGH ● exploited ⚠ ransomware Missing authentication EPSS 84% → fixed in 11.0.1.1261 CVE-2022-26501 CRITICAL ● exploited ⚠ ransomware Missing authentication EPSS 75% → fixed in 11.0.1.1261 CVE-2024-40711 CRITICAL ● exploited ⚠ ransomware Insecure deserialization EPSS 70% → fixed in 12.2.0.334 CVE-2022-26500 HIGH ● exploited ⚠ ransomware Path traversal EPSS 19% → fixed in 11.0.1.1261 CVE-2024-29849 CRITICAL Improper authentication EPSS 54% → fixed in 12.1.2.172 CVE-2025-23120 HIGH Insecure deserialization EPSS 41% → fixed in 12.3.1.1139 CVE-2026-21708 CRITICAL SQL injection EPSS 1% → fixed in 12.3.2.4465. CVE-2021-35971 CRITICAL Insecure deserialization EPSS 1% → fixed in 11.0.0.837 CVE-2026-21669 CRITICAL Code injection EPSS 0% → fixed in 13.0.1.2067 CVE-2026-21666 CRITICAL Improper access control EPSS 0% → fixed in 12.3.2.4465 CVE-2026-21667 CRITICAL Improper access control EPSS 0% → fixed in 12.3.2.4465 CVE-2025-48983 CRITICAL Improper access control EPSS 0% → fixed in 12.3.2.4165Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Veeam Backup & Replication release line is supported — and when it sunsets.
13 latest 13.0.2.29 Supported
12 latest 12.3.2.4854 Supported until 2027-02-01
11 latest 11.0.1.1261-P20240304 End of life ended 2024-02-01
10 latest 10.0.1.4854-P20220304 End of life ended 2023-02-01
9.5 latest 9.5.4.2866 End of life ended 2022-01-01
9.0 latest 9.0.0.1715 End of life
8.0 latest 8.0.0.2084 End of life
7.0 latest 7.0.0.871 End of life
6.5 latest 6.5.0.144 End of life
6.1 latest 6.1.0.205 End of life
See all upcoming end-of-life dates →