CRITICAL: Veeam Backup Critical Flaw Lets Ransomware Gangs Delete Your Last Line of Defense

Executive Summary

CVE-2026-29849 is a critical authentication bypass vulnerability (CVSS 9.8) in Veeam Backup & Replication versions 12.0 through 12.3.1. Unauthenticated attackers with network access can gain full administrative control over backup infrastructure. At least three ransomware gangs are actively exploiting this flaw to delete backups before deploying encryptors, eliminating victims' recovery options.

Vulnerability Details

Technical Analysis

Backups are supposed to be your insurance policy against ransomware. Pay the ransom or restore from backup — that is the calculus every victim faces, and functional backups are what give organizations leverage to tell attackers to pound sand. But what happens when attackers can delete your backups before you even know they are in your network?

The vulnerability exists in how Veeam handles certain API requests to the backup server. Researchers at watchTowr Labs discovered that specific endpoints fail to properly validate authentication tokens, allowing attackers to craft requests that the server processes as if they came from a legitimate administrator. Once in, attackers have complete control over backup jobs, repositories, and recovery points.

Veeam released patches on March 14th, but threat intelligence from Huntress, Sophos, and Arctic Wolf confirms that at least three ransomware groups have incorporated CVE-2026-29849 exploitation into their playbooks within the past week.

The attack pattern follows a predictable sequence. Initial access comes through compromised VPN credentials, vulnerable internet-facing applications, or phishing. The attackers then move laterally until they identify the Veeam backup server through Active Directory reconnaissance or network scanning. Before touching any production systems with encryption, they exploit the Veeam vulnerability to delete all backup repositories and recovery points.

By the time the ransom note appears, the organization has already lost its safety net. The choice is no longer pay-or-restore; it is pay-or-rebuild-everything-from-scratch.

Huntress reported observing attacks where threat actors accessed Veeam servers, enumerated all backup jobs and repositories, and systematically deleted everything within a thirty-minute window before initiating ransomware deployment. The efficiency suggests attackers had practiced the sequence and potentially automated portions of the backup destruction process.

Indicators of Compromise

Exploitation leaves minimal forensic traces in standard logging. The API calls that enable the authentication bypass appear similar to legitimate administrative traffic. Organizations should enable verbose logging and monitor for unusual API calls, bulk deletion operations, authentication anomalies, and after-hours access to backup systems.

Remediation Steps

Update to Veeam Backup & Replication version 12.3.2 immediately. Patches are also available for 12.0, 12.1, and 12.2 branches for customers unable to upgrade to the latest release.

Beyond patching, organizations should implement network segmentation between production environments and backup infrastructure. Backup servers should not be reachable from general user networks. Administrative access should require privileged access workstations or jump hosts.

Implement immutable backup repositories using Veeam's hardened repository feature, cloud object lock capabilities, or air-gapped tape. When backups are written to immutable storage, attackers cannot delete them even with administrative access.

Maintain at least one backup copy in a location that cannot be reached through any network path from the production environment. If your backup strategy does not include a recovery option that survives total network compromise, you are not actually protected against sophisticated ransomware.

Timeline

References

[{"title": "Veeam Security Advisory KB4682", "url": "https://www.veeam.com/kb4682"}]