Veeam Backup & Replication vulnerabilities not updated after patching
47 views
Skip to first unread message
Stefano Raspadori
Apr 2, 2026, 6:11:43 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Hello everybody,
I have an issue on Wazuh version v 4.14.4: the agent, on a Windows 2022 server VM, reports 4 vulnerabilities (CVE-2026-21667, CVE-2026-21666, CVE-2026-21668, CVE-2025-48983) for Veeam Backup & Replication version 12.3.2.3617.
All these issues were fixed with Veeam Backup & Replication version 12.3.2.4465, that I have installed 2 days ago, but Wazuh still reports in inventory the version 12.3.2.3617 and the 4 above vulnerabilities.
All these issues were fixed with Veeam Backup & Replication version 12.3.2.4465, that I have installed 2 days ago, but Wazuh still reports in inventory the version 12.3.2.3617 and the 4 above vulnerabilities.
I tried almost everything including rebooting both servers ( Wazuh and Veeam) but it still reports wrong Veeam version and issues that should have been fixed..
Any suggestion?
Thanks
Stefano
Any suggestion?
Thanks
Stefano
Stuti Gupta
Apr 2, 2026, 7:06:31 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Hi Stefano,
Yes, you are right, the Veeam version 12.3.2.4465 should not be affected by vulnerabilities according to the wazuh CTI
CVE-2026-21667: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21667#:~:text=All%20affected,12.0.0.1402%20to%2012.3.2.4465
CVE-2026-21666: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21666
CVE-2026-21668: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21668
CVE-2025-48983: https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-48983
Also, it is confirmed here:
https://www.veeam.com/kb4830
https://www.veeam.com/kb4771
Can you please run the following command on Server Management > Dev Tools
Run the following API call:
GET /syscollector/<agent_id>/packages?search=Veeam
This is to check the exact package version read by wazuh
Also, share the JSON format alert from the Vulnerability detection > Inventory, as shown in the images:
Also, share the ossec.log from the wazuh-manager:
cat /var/ossec/logs/ossec.log | grep <affected agent id>
Same from the agent side: C:\Program Files (x86)\ossec-agent\ossec.log
Additionally, share the agent os details and the manager and agent wazuh version.
Looking forward to your response.
Yes, you are right, the Veeam version 12.3.2.4465 should not be affected by vulnerabilities according to the wazuh CTI
CVE-2026-21667: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21667#:~:text=All%20affected,12.0.0.1402%20to%2012.3.2.4465
CVE-2026-21666: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21666
CVE-2026-21668: https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-21668
CVE-2025-48983: https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-48983
Also, it is confirmed here:
https://www.veeam.com/kb4830
https://www.veeam.com/kb4771
Can you please run the following command on Server Management > Dev Tools
Run the following API call:
GET /syscollector/<agent_id>/packages?search=Veeam
This is to check the exact package version read by wazuh
Also, share the JSON format alert from the Vulnerability detection > Inventory, as shown in the images:
Also, share the ossec.log from the wazuh-manager:
cat /var/ossec/logs/ossec.log | grep <affected agent id>
Same from the agent side: C:\Program Files (x86)\ossec-agent\ossec.log
Additionally, share the agent os details and the manager and agent wazuh version.
Looking forward to your response.
Stefano Raspadori
Apr 2, 2026, 8:03:53 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Thanks for the reply, here you are the file requested:
syscollector.txt is the API response
agent_ossec.log is the Agent log file on the Veeam server
Strangely cat /var/ossec/logs/ossec.log | grep 004 returns nothing (while with other agent ID like 005 finds something..)
Thanks for your help
syscollector.txt is the API response
agent_ossec.log is the Agent log file on the Veeam server
Strangely cat /var/ossec/logs/ossec.log | grep 004 returns nothing (while with other agent ID like 005 finds something..)
Thanks for your help
Stefano Raspadori
Apr 2, 2026, 8:03:53 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Thanks for the reply.
Please find attached the files requested:
syscollector.txt is the API response
agent_ossec.log is the agnet log on Veeam server
strangely cat /var/ossec/logs/ossec.log | grep 005 eturns nothing (while for example 004 that's another server exists)
Thanks for your help
Please find attached the files requested:
syscollector.txt is the API response
strangely cat /var/ossec/logs/ossec.log | grep 005 eturns nothing (while for example 004 that's another server exists)
Thanks for your help
Il giorno giovedì 2 aprile 2026 alle 13:06:31 UTC+2 Stuti Gupta ha scritto:
Stuti Gupta
7:37 AM (12 hours ago) 7:37 AM
to Wazuh | Mailing List
Hi Stefano,
The agent logs are fine, and so is the manager side. From the JSON inventory you shared, Wazuh is still detecting Veeam Backup & Replication version 12.3.2.3617 for all components:
- Veeam Backup & Replication Server: 12.3.2.3617
- Veeam Backup & Replication Console: 12.3.2.3617
- Veeam Backup Catalog: 12.3.2.3617
- Veeam Installer Service: 12.3.2.3617
{
"scan": {
"id": 0,
"time": "2026-03-19T11:17:39+00:00"
},
"size": 0,
"name": "Veeam Installer Service",
"install_time": "2025-10-16T09:44:16+00:00",
"version": "12.3.2.3617",
"location": "C:\\Windows\\Veeam\\Backup\\",
"source": " ",
"format": "win",
"priority": " ",
"vendor": "Veeam Software Group GmbH",
"description": " ",
"architecture": "i686",
"section": " ",
"agent_id": "005"
},
{
"scan": {
"id": 0,
"time": "2026-03-19T11:17:40+00:00"
},
"size": 0,
"name": "Veeam Backup & Replication Console",
"install_time": "2025-10-16T09:44:07+00:00",
"version": "12.3.2.3617",
"location": "C:\\Program Files\\Veeam\\Backup and Replication\\",
"source": " ",
"format": "win",
"priority": " ",
"vendor": "Veeam Software Group GmbH",
"description": " ",
"architecture": "x86_64",
"section": " ",
"agent_id": "005"
},
{
"scan": {
"id": 0,
"time": "2026-03-19T11:17:41+00:00"
},
"size": 0,
"name": "Veeam Backup Catalog",
"install_time": "2025-10-16T09:37:03+00:00",
"version": "12.3.2.3617",
"location": "C:\\Program Files\\Veeam\\Backup and Replication\\",
"source": " ",
"format": "win",
"priority": " ",
"vendor": "Veeam Software Group GmbH",
"description": " ",
"architecture": "x86_64",
"section": " ",
"agent_id": "005"
},
,
{
"scan": {
"id": 0,
"time": "2026-03-19T11:17:43+00:00"
},
"size": 0,
"name": "Veeam Backup & Replication Server",
"install_time": "2025-10-16T09:42:37+00:00",
"version": "12.3.2.3617",
"location": "C:\\Program Files\\Veeam\\Backup and Replication\\",
"source": " ",
"format": "win",
"priority": " ",
"vendor": "Veeam Software Group GmbH",
"description": " ",
"architecture": "x86_64",
"section": " ",
"agent_id": "005"
}
From this data, it is possible that the old Veeam package entry is still present in the Windows software inventory, and Syscollector is reading that entry. Syscollectory at the agent side reads the software inventory from the Windows package registry. If the upgrade left the old entry behind, Syscollector will still detect version 12.3.2.3617
Please check in Control Panel > Programs and Features if the version shown for Veeam Backup & Replication is still 12.3.2.3617 or if 12.3.2.4465 appears there?
You can also use a PowerShell command to verify what Windows reports as installed packages. Command like the following:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object {$_.DisplayName -like "*Veeam*"} |
Select DisplayName, DisplayVersion
Where-Object {$_.DisplayName -like "*Veeam*"} |
Select DisplayName, DisplayVersion
If both versions appear, that is the reason why the old version is still detected.
Let me know your findings.
Reply all
Reply to author
Forward
0 new messages