[wpseo_breadcrumb]
Update Veeam Backup & Replication to Build 13.0.1.2067
In this guide, we will discuss the steps to Update Veeam Backup & Replication to Build 13.0.1.2067 due to the following security Vulnerabilities. Veeam Backup & Replication 13.0.1.2067 delivers a critical update focused on strengthening security, improving platform stability, and enhancing integration across backup, cloud, and storage environments. Please see Veeam Backup and Replication: PowerShell must be Remote Signed, and Prevent Automatic Driver Updates in Windows and Xen-Orchestra.
This release addresses multiple high-severity vulnerabilities, including remote code execution (RCE), privilege escalation, and credential exposure risks, making it an essential upgrade for all production deployments.
Security Vulnerabilities
This table lists all security-related fixes included in the release, mapped to their CVE identifiers and severity ratings. Each entry describes the vulnerability ID (CVE), its severity level (Critical or High), and the potential impact on the system if exploited.
| CVE | Severity | Impact |
|---|---|---|
| CVE-2026-21669 | Critical (9.9) | Authenticated domain user can perform RCE on Backup Server |
| CVE-2026-21670 | High (7.7) | Low-privileged user can extract saved SSH credentials |
| CVE-2026-21671 | Critical (9.1) | Backup Admin RCE in HA deployments |
| CVE-2026-21672 | High (8.8) | Local privilege escalation on Windows servers |
| CVE-2026-21708 | Critical (9.9) | Backup Viewer RCE as postgres use |
Please see Switch from IP Addresses to DNS for Backup Infrastructure in VBR, how to remove a Repository from Veeam Backup and Replication, and how to Fix broken Repository Path in Veeam Scale-Out Backup Repository.
New Features and Enhancements in Build 13.0.1.2067
Unlike bug fixes, these update also introduces key improvements to Veeam Data Cloud Vault authentication, better log handling, and resolves a wide range of issues across core backup infrastructure, application plug-ins, cloud services, and storage integrations.
These enhancements collectively improve operational reliability, and refine overall system performance. The table below provides various enhancementsintriduced in this build.
| Area | Enhancement | Description / Impact |
|---|---|---|
| Veeam Data Cloud Vault | Direct authorization via VDC | Backup server authorization now communicates directly with Veeam Data Cloud, removing the need for a License Admin role. Any user with correct VDC permissions can register servers. |
| Veeam Data Cloud Vault | Code-based registration process | Replaces redirect-based authentication. Backup server generates a registration code which is entered into the VDC portal, improving security and control. |
| Web UI / Supportability | Improved log bundle collection tool | Log collection is now more efficient and produces significantly smaller support bundles by targeting only relevant logs. |
How to upgrade Path and In-Place Upgrade for VBR v13 and Known Fixes, how to upgrade Veeam Backup and Replication 12.3, and how to upgrade Veeam Backup and Replication v12.3 to v13 on Windows
Resolved Issues
This release fixes multiple issues across Veeam Backup & Replication components, improving stability, performance, security, and compatibility as discussed below.
| Component Area | Issue | Resolution |
|---|---|---|
| Backup Infrastructure (Linux/Windows interoperability) | SMB backup import fails when specifying full .vbk path due to Linux path parsing error | Fixed path normalization to correctly process absolute Linux and SMB-based file paths |
| Backup Infrastructure (Update & Hardening) | DISA STIG-enabled RHEL updates may update Veeam GPG keys during package updates | Improved package signing and key validation process for hardened Linux environments |
| Backup Infrastructure (vSphere Integration) | vCenter plugin fails to initialize with HTTP 404 error | Fixed plugin endpoint routing and initialization logic |
| Backup Infrastructure (Core Services) | Service version timeout causes job failures under load | Increased default service timeout to 120 seconds to improve stability |
| Scale-Out Backup Repository (NFS Extents) | Export jobs fail when retention is configured on NFS-based performance extents | Fixed retention handling logic for NFS-backed extents |
| Object Storage (Gateway Selection) | Backup server incorrectly selected as gateway in direct mode | Improved gateway/proxy selection algorithm to prioritize optimal transport nodes |
| Application Plug-ins (Installation & FIPS Compliance) | Plug-in installation fails with “no digest” error on FIPS-enabled systems | Fixed RPM package validation to support FIPS-compliant cryptographic verification |
| Application Plug-ins (Security & TLS) | Certificate validation errors with self-signed or CA-signed certificates | Improved TLS trust chain validation and certificate handling logic |
| Application Plug-ins (RBAC & Permissions) | Backup operator role lacks permissions in centralized plug-in management | Updated role-based access control definitions for application backup policies |
| Unstructured Data Backup (NAS Protection) | Backup fails when policy name contains special characters | Fixed NAS storage creation logic to properly handle encoded file names |
| Primary Storage (IBM FlashSystem Integration) | Snapshot backups return warning status when Volume Protection is enabled | Improved snapshot handling under protected volume configurations |
| Primary Storage (Dell PowerStore Integration) | Plug-in fails after upgrade due to SSL/TLS mismatch | Fixed TLS configuration compatibility between Veeam and storage API |
| Primary Storage (Job Execution Engine) | Long-running storage operations terminate prematurely due to HTTP timeout | Increased HTTP client timeout handling for storage operations |
| Microsoft Azure Restore (Recovery Engine) | Restored Windows VMs may become non-bootable | Fixed VHD mounting and conversion process during Azure restore workflows |
| Veeam Agent for Linux & Windows (S3 Integration) | S3-compatible repository creation fails with HTTP 503 responses | Improved retry logic and endpoint validation for S3-compatible storage systems |
| File-Level Restore (Network Optimization) | FLR mounts are slow when multiple preferred networks are configured | Optimized network resolution logic and introduced preferred IP configuration option |
| Microsoft Entra ID (Cloud Authentication) | Backup jobs fail when using HTTP/HTTPS proxy | Fixed proxy handling in cloud authentication and token retrieval workflows |
| Veeam Cloud Connect (Replication Engine) | High memory usage when datastore clusters are used for replication targets | Optimized memory management in replication job processing |
| Veeam Cloud Connect (Job Session Management) | Backup jobs fail with “session not found” error in object storage workflows | Fixed job session tracking and recovery logic |
| Web UI (Authentication & MFA) | Veeam Intelligence fails to open when MFA is enabled | Fixed authentication flow compatibility with multi-factor authentication |
Missing Software
Veeam Backup & Replication automatically notifies you about updates that must or should be installed to enhance your work experience with the product. Update notifications eliminate the risk of using out-of-date components in the backup infrastructure. Or missing critical updates that can have a negative impact on data protection and disaster recovery tasks.
Note: After a new build of Veeam Backup & Replication is published to the Veeam update server, the backup console automatically notifies administrators via the Windows Action Center. In addition, any available updates can be viewed directly within the console under Backup Infrastructure, Managed Servers.
Here, missing or pending updates are clearly indicated, as shown below. When the relevant component is selected, you can click “Open Updater UI” to launch the update interface, as illustrated below.
When you click “Open Updater UI” in Veeam Backup & Replication, the system opens the Veeam Updater interface, which manages product updates. The Updater UI connects to the Veeam Update Server and checks for available updates in your environment. However, I cannot show the full process here due to certificate issues, as shown below.
You will be redirected to the Veeam Updater interface for authentication. You will find this link information regardless update behaviour.
Now you will run into errors because you do not have a valid certifxate with Error 404. The Updater UI cannot properly complete authentication due to certificate trust issues. So it attempts to access update resources without a valid session context, resulting in missing (404) endpoints.
Assuming a trusted certificate is installed instead of a self-signed certificate, the Updater UI displays a list of installed components (Backup Server, proxies, repositories, agents, etc.) along with their current versions. It also shows any available patches, hotfixes, or full builds for each component. You can view detailed release information, including version numbers, descriptions, and dependencies. From there, you can either download updates manually or trigger an automated update workflow.
Please see Leverage Azure Blob Storage as an Object Storage Repo in Veeam, PXE Boot Failure: “Access Denied or Aborted” with Secure Boot on [Part 4], and Advanced Tape Troubleshooting: Diagnosing Veeam LTO Drive Issues with ITDT.
View and Apply Missing Patches
Since the Veeam Backup & Replication Backup Infrastructure (Managed Servers) component cannot display the update type, you must review missing updates through the main console. To do this, open the hamburger menu, navigate to Updates, and then select Missing Updates.
As you can see, we are missing some security patches fr Veeam Backup and Replication 13. Unfortunately, we cannot apply these updates from this wizard as the options to install and install all are grayed out. At the end of this guide, I will show you how to apply or trigger an automated update for a Repository via this window.
Please see Azure Resource Locks: Protecting Critical Cloud Resources from Accidental and Malicious Deletion, and Fix Operating System Loader failed signature verification” on Dell Safe BIOS Systems via PXE [Part 3].
Download VBR v13.0.1.2067 ISO
You can discover the latest version of VBR from here. Ensure the right version and build is selected and click on Download as shown below.
You will be required to login in order to acess the download.
Before proceeding to apply the patch, we are currently running Veeam Backup and Replication Build 13.0.1.180
Mount ISO
After downloading the ISO, open the file properties and ensure the “Unblock” option is selected before mounting or extracting the file. Since the ISO was downloaded from the internet, Windows marks it with a security identifier (Mark of the Web), which can prevent certain files or scripts from executing correctly.
Unblocking the file removes this restriction and helps avoid installation or execution issues during the upgrade process.
Next mount the file by right-clikinmg on the downloaded ISO and clicking on “Mount”.
After you mount the image or insert the disk, Autorun opens a splash screen. If Autorun is not available or disabled, run the Setup.exe file from the image or disk as shown below.
Click on Modify as shown below.
Modify Veeam Backup and Replocation
Next, select Modify Veeam Backup & Replication to proceed.
Accept the License Agreement
Kindly wait for a while as the system detrmines if there are potential issues with the upgrade.
As you can see below, a server restart is required in order to proceed with thee installation.
On the prompt to reboot, click on Yes.
Upon restart, run the setup file again and at the upgrade step. Select the Update remote components automatically check box. Otherwise, the backup server will prompt you to upgrade them during the first run of the backup server after the update.
I have decided not to slect it in order to show you the various steps to perform the compionents uphgrade. Click Upgrade to begin the update process.
As you can see the upgrade process has started.
The Veeam Exploreers are being updated
Unfortunately, this upgrade was very fast and I missed the image for the step 3. As you can see below, the Plug-ins are being installed.
Updates are currently being applied
Installating are being finalized and services are being started.
Click on Finish to complete the update process.
At this step, yu will be prompted to restart your VBR server for the configiration changes to take effect.
Please see How to protect Microsoft 365 beyond native limits with VDC [Part 1], and how to Update WinPE Boot Images with Windows UEFI CA Certificates [Part 2].
Upgrade Veeam Components
Because we did nopt select to upgrade the components aurtomatically. As you can see somemanaged servers currently requires upgrade.
Also, from the Veeam Backup and Replication Client, you can see from from the components updaate that the following need to be upgraded too.
Note: Every time you launch the Veeam Backup & Replication console, Veeam Backup & Replication automatically checks if Veeam Backup & Replication components installed on managed servers are up to date. If a later version of components is available, the system displays the Components Update window once a week for all users (once per user) who access the backup server. Components upgrade may be necessary, for example, after you have upgraded Veeam Backup & Replication as it is in my case.
You can manually check if components upgrade is required. To do this, select Upgrade from the main menu. If components on all managed servers are up to date, the menu item will be disabled as previously shown above.
Click on Next to prceed
As you can see the components have been upgraded as shown below. Click Finish to complete the components upgrade steps.
As ylou can see we have successfully upgradeed VBR to Build 13.0.1.2067
Please see Update WinPE Boot Images with Windows UEFI CA Certificates [Part 2], and how to perform Tape Drive Cleaning in Practice.
Apply Security Updates to Veem Hardened Repository
As you can see below, under the missing updates wizard. We have some missing updates for the Veem Infrastrcutire Hardned Repository. To install the updates, click on Install All as shown below.
When prompted, click on Yes to reboot
As you can see, the security updates were applied to the Veeam Infrastructure Updates as shown below.
As ypu can see, there are no more updates and the wizard is empty.
I hope yu found this guide on how to Update Veeam Backup & Replication to Build 13.0.1.2067 very useful. Please feel free to leave a comment below.
