Executive Summary

CVE-2026-32999 is a critical Remote Code Execution (RCE) vulnerability in Comet Backup software versions prior to 26.4.3 and 26.5.0.

The vulnerability arises from insufficient character filtering in the backup agent signing module, specifically allowing a tenant administrator with branding permissions to upload malicious .dll or .so files as part of the branding configuration.

This enables the attacker to execute arbitrary code on the Comet Backup server and connected devices, running with elevated privileges and bypassing tenancy boundaries.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated tenant administrator to execute arbitrary code with elevated privileges on the Comet Backup server and connected devices. This can lead to unauthorized access to configuration files and backed-up user data, potentially resulting in data breaches.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized access and ensure data integrity.

Organizations using affected versions of Comet Backup should apply the recommended patches promptly to mitigate the risk and maintain compliance with these standards.

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can gain full access to the server's configuration files and backed-up user data from remote devices where the backup tool is installed.

They can also stop, replace, or remove the Comet Server installation and execute code with privileged user permissions on connected devices.

This could lead to severe data breaches, loss of data integrity, and potential disruption of backup services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated tenant administrator uploading malicious .dll or .so files as part of the branding configuration to execute arbitrary code. Detection would involve monitoring for unusual or unauthorized changes to the branding configuration files or uploads of suspicious dynamic library files (.dll or .so).

Commands to detect this might include checking for recent changes or uploads in the branding configuration directory on the Comet Backup server, for example using file system monitoring tools or commands like 'ls -lt' to list recent files, or 'find' to locate recently modified .dll or .so files.

Additionally, monitoring server logs for unusual activity by tenant administrators or unexpected execution of backup-tool clients with elevated privileges could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update Comet Backup software to version 26.4.3, 26.5.0, or higher, as these versions contain patches that fix the vulnerability.

For self-hosted Comet Backup users, applying this update is critical to prevent exploitation. Comet Hosted servers have already been patched, so no action is required for hosted administrators.

Useful 0 Not Useful 0