preloader

· security veeam cve backup rce enterprise windows infrastructure

Veeam Backup and Replication CVE-2026-44963: CVSS 9.4 RCE Flaw Lets Authenticated Domain Users Take Over Backup Servers

Source: BleepingComputer

Veeam released a security patch on 9 June 2026 addressing CVE-2026-44963, a critical remote code execution vulnerability in Veeam Backup and Replication version 12. The flaw carries a CVSS v4 score of 9.4 and allows an authenticated Active Directory domain user – with no elevated permissions beyond standard domain membership – to execute arbitrary code on the Veeam backup server. The vulnerability was discovered by security researcher Sina Kheirkhah of watchTowr and disclosed to Veeam through coordinated disclosure.

What the Vulnerability Does

CVE-2026-44963 is a remote code execution flaw that requires only a valid domain user account to exploit. Any authenticated domain user with network access to a backup server running an affected build can send a crafted request to trigger the vulnerability and achieve code execution in the context of the Veeam service, which typically runs with elevated privileges on the host.

The low access bar is the feature of this vulnerability that elevates it beyond its CVE score. A CVSS 9.4 is high by any measure, but the real operational risk comes from the access requirement: “authenticated domain user” describes millions of accounts across typical enterprise Active Directory environments. Service accounts, helpdesk accounts, developer machines, and any compromised endpoint with domain membership all qualify. An attacker who has phished a single set of user credentials from a medium-sized organisation has, in many cases, everything needed to move directly to the backup server.

Affected Versions and Patch

The vulnerability affects Veeam Backup and Replication version 12.3.2.4465 and all earlier v12 builds. Veeam has addressed it in version 12.3.2.4854, released on 9 June 2026.

Veeam Backup and Replication version 13.x is not affected. The v13 architecture introduced structural changes to the backup service’s RPC handling that eliminate the conditions required to trigger the flaw. Organisations that have already migrated to v13 are not at risk from this specific CVE, though the migration should be verified rather than assumed.

The patch is available from Veeam’s standard update and download channels. Veeam has explicitly warned that once a patch is publicly released, threat actors routinely reverse-engineer the fix to identify the vulnerable code path and develop exploits. The window between public patch release and working exploit is typically short for high-profile backup products.

Why Backup Servers Are High-Value Targets

Backup infrastructure holds a privileged position in an organisation’s security posture for reasons that extend well beyond storage. A backup server typically has read access to large volumes of sensitive data across the environment, holds credentials or connections to multiple systems, and in many deployments has elevated rights that allow it to interact with hypervisors, databases, and application servers.

For ransomware operators, backup servers are a primary target because eliminating or encrypting backup data removes the primary path to recovery without paying the ransom. Gaining RCE on a Veeam server before deploying ransomware across the broader network allows an attacker to delete or encrypt backup repositories, exfiltrate backup data before encryption, and use the backup server’s existing privileged connections to pivot into additional systems.

Espionage actors find a different value in backup servers: the aggregated data they hold. A Veeam backup set for a production database server contains the same sensitive records as the database itself, often across multiple historical snapshots.

The Pattern of Veeam CVE Exploitation

This is not the first critical Veeam vulnerability to require urgent patching. CVE-2024-40711, a now-notorious unauthenticated RCE flaw in Veeam Backup and Replication, was actively exploited within days of its patch release in 2024, with exploitation linked directly to ransomware campaigns by groups including Fog and Akira. The combination of wide enterprise deployment, high inherent privilege, and sensitive data access makes Veeam a consistent target for rapid weaponisation after disclosure.

CVE-2026-44963 sets a lower bar for exploitation than CVE-2024-40711 – it requires authentication, not zero-touch unauthenticated access. However, the “authenticated domain user” requirement is a very low threshold in practice, and organisations should not interpret it as a meaningful buffer against real-world exploitation.

What to Do Now

Patch immediately. Veeam has provided the fix. Given the exploitation history of previous Veeam CVEs, any delay in deploying 12.3.2.4854 on domain-joined backup servers represents active risk exposure. This is not a patch to schedule for the next monthly maintenance window.

Audit network access to backup servers. Veeam backup servers should not be reachable from general workstation subnets or from accounts beyond those explicitly required for backup administration. Firewall rules and network segmentation can reduce the attack surface while patching is in progress, but they do not substitute for applying the fix.

Review domain accounts with access to backup infrastructure. Map which accounts can authenticate to your Veeam environment and whether the access granted to each is appropriate. Service accounts used only for scheduled backup jobs should not have interactive logon capability or access to the Veeam management console beyond what is operationally required.

Check whether v12 or v13 is deployed. If your organisation has v13 in production, confirm it. If you are running v12 because a migration to v13 has been deferred, CVE-2026-44963 is a direct argument for accelerating that work beyond routine upgrade scheduling.

Review backup repository integrity. Organisations that identified any anomalous access to their Veeam environment over the past several weeks should validate the integrity of their backup repositories before relying on them for recovery. An attacker who had access to the backup server could have modified, deleted, or exfiltrated backup data.

NIS2 Implications

Under NIS2, organisations in sectors including digital infrastructure, managed services, healthcare, energy, and financial markets are required to apply security patches as part of their baseline security obligations. A CVSS 9.4 RCE in widely deployed backup infrastructure, patched on the same day as a record-breaking Patch Tuesday, creates real scheduling pressure. Security teams should document their patching response timeline, including the date the vulnerability was triaged, the date patching began, and the date full coverage was achieved. That documentation may be requested by competent authorities in the event of a related incident.

If you need help assessing your Veeam deployment’s exposure to CVE-2026-44963, reviewing the access controls and network segmentation protecting your backup infrastructure, or planning an accelerated migration from v12 to v13, contact Excello Digital. We help European organisations secure their backup environments before they become a pivot point for ransomware or data theft.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!