Critical-risk tools in Veeam VBR v13 MCP Server
28 of the 328 tools in Veeam VBR v13 MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
clearAgentPolicyCacheDestructiveClear the backup cache for an agent backup policy.
-
DeleteBackupDestructiveDelete a backup dataset from the Veeam Backup server.
-
DeleteBackupObjectDestructiveDelete a specific object from a backup.
-
DeleteCloudCredsDestructiveRemove a cloud credentials record.
-
DeleteCloudCredsHelperApplianceAsyncDestructiveRemove a helper appliance from a cloud credentials record.
-
DeleteComputerRecoveryTokenDestructiveDelete a recovery token.
-
DeleteCredsDestructiveRemove a credentials record from the Veeam Backup server.
-
DeleteDatastoreLatencySettingsDestructiveRemove latency settings for a specific datastore.
-
DeleteEncryptionPasswordDestructiveRemove an encryption password.
-
DeleteEntraIDTenantsDestructiveRemove a Microsoft Entra ID tenant.
-
DeleteGlobalVMExclusionDestructiveRemove a VM from the global exclusion list.
-
DeleteJobDestructiveDelete a job from the Veeam Backup server.
-
DeleteKMSServerDestructiveRemove a KMS server.
-
DeleteManagedServerDestructiveRemove a server from the backup infrastructure.
-
DeleteProtectionGroupDestructiveRemove a protection group.
-
DeleteProxyDestructiveRemove a backup proxy.
-
DeleteRepositoryDestructiveRemove a backup repository.
-
DeleteScaleOutRepositoryDestructiveRemove a Scale-Out Backup Repository.
-
DeleteUnstructuredDataServersDestructiveRemove an unstructured data source.
-
DeleteUserDestructiveRemove a user or group from Veeam Backup & Replication.
-
RemoveInstanceLicenseDestructiveRemove an instance license record.
-
RemoveLicenseDestructiveRemove a license from the Veeam Backup server.
-
ResetAllBestPracticesComplianceStatusesDestructiveReset all Security & Compliance Analyzer statuses.
-
ResetBestPracticesComplianceStatusDestructiveReset the status of a specific Security & Compliance Analyzer best practice check.
-
RevokeCapacityLicenseDestructiveRevoke a capacity license from an unstructured data workload.
-
RevokeInstanceLicenseDestructiveRevoke an instance license from a workload.
-
RevokeSocketLicenseDestructiveRevoke a socket license from a specific host.
-
UninstallAgentFromDiscoveredEntitiesDestructiveUninstall Veeam Agent from discovered entities.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.