IRONSMITHINTEL
HIGH
|Auth: varies|Reboot: service restart|Est. 30–60 minutes per agent|Manual only

Third-Party Backup Agents Are Frequently Targeted and Must Be Kept Updated

Backup agents run with high privileges and often listen on network ports — vulnerabilities in backup software have been used for ransomware deployment and data exfiltration.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who exploits a vulnerability in a backup agent gains SYSTEM-level code execution and access to backup data including credentials stored in backup jobs. Ransomware operators specifically target backup infrastructure to prevent recovery after deploying ransomware.

How the attack works

Backup agents from vendors such as Veeam, Acronis, Commvault, Veritas, and others run as SYSTEM or high-privilege service accounts and expose network listening ports for backup management. These agents are frequently under-patched because they are considered infrastructure rather than security software. Multiple critical vulnerabilities in backup agents have been publicly disclosed and exploited — Veeam Backup & Replication in particular has multiple RCE CVEs rated 9.8.

Am I affected?Quick check

Probably yes if any of these apply:

All servers running third-party backup agents
Dedicated backup servers
Running Any backup agent not on the latest vendor-released version

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inLatest version from vendor
Real-world incidentsWhat we've seen

Ransomware groups began specifically targeting Veeam servers in 2022 after critical vulnerabilities were published. Attackers compromise the backup server first, delete or encrypt backup data, then deploy ransomware across the environment — ensuring the victim has no recovery path.

How to patch

Manual remediation steps

30–60 minutes per agent

Step 1 — Identify Backup Agents

# Check for common backup agent services
Get-Service | Where-Object {
    $_.DisplayName -match 'Veeam|Acronis|Commvault|Veritas|Backup Exec|Arcserve|Cohesity'
} | Select-Object DisplayName, Status, StartType

# Check installed applications
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object { $_.DisplayName -match 'Veeam|Acronis|Commvault|Veritas|Backup' } |
    Select-Object DisplayName, DisplayVersion, Publisher

Step 2 — Check for Known CVEs

1
Visit the vendor's security advisory page
2
Cross-reference your installed version against known CVEs:
    1
    Veeam: veeam.com/kb/articles
    1
    Acronis: security-advisories.acronis.com
    1
    Veritas: arcserve.com/support/security-advisories

Step 3 — Update Backup Agent

1
Download latest version from vendor portal
2
Follow vendor's upgrade procedure (typically requires stopping agent service)
3
Test backup functionality after update

Verification

# Verify updated version
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object { $_.DisplayName -match 'Veeam|Acronis|Commvault|Veritas|Backup' } |
    Select-Object DisplayName, DisplayVersion
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.