Veeam Patches Critical Backup & Replication RCE — Any Authenticated Domain User Can Execute Code on Backup Servers (CVE-2026-44963)
Veeam has patched CVE-2026-44963, a CVSS 9.4 flaw in Backup & Replication that lets any authenticated domain user execute remote code on the backup server. All version 12 builds are affected — version 13 is immune due to architectural changes. Ransomware groups routinely target Veeam first.
Veeam has released security updates for CVE-2026-44963, a critical remote code execution vulnerability in Backup & Replication rated CVSS 9.4. The flaw allows any authenticated domain user to execute arbitrary code on the backup server itself — a low bar in any Active Directory environment, where a single compromised workstation account becomes a direct path to the infrastructure protecting every other system.
The vulnerability affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds. Version 13.x is not affected, owing to architectural changes introduced in that release. The fix ships in version 12.3.2.4854. Veeam credited watchTowr researcher Sina Kheirkhah with the discovery and responsible disclosure.
Why Backup Servers Are the Target
The severity here is less about the technical mechanics and more about what sits on the other side of the exploit. Backup infrastructure is the first thing ransomware operators hunt after gaining a domain foothold — destroying or encrypting backups before deploying the payload removes the victim's primary recovery option and maximizes ransom leverage. Veeam's install base makes it a recurring target: previous Backup & Replication vulnerabilities have been actively exploited in ransomware operations, and the product has appeared repeatedly in incident reports as the pivot point between initial access and full domain compromise.
The "authenticated domain user" requirement should not be read as a meaningful mitigation. In most enterprise breaches, attackers hold valid domain credentials within hours of initial access — via phishing, infostealers, or credential dumping. A flaw exploitable by any domain account is, in practical terms, exploitable by any attacker who has landed anywhere in the environment.
This is also Veeam's second major patch cycle of 2026 for the product line: in March, the company resolved multiple critical RCE flaws in Backup & Replication.
Action Items
Update Backup & Replication to 12.3.2.4854 immediately, or migrate to version 13 where feasible — the architectural changes there eliminate this class of issue. Beyond patching: backup servers should not be domain-joined where the architecture allows it, or should at minimum live in a hardened administrative tier with access restricted to dedicated accounts. Verify immutable or offline backup copies exist that a compromised backup server cannot reach. Given the exploitation history of prior Veeam flaws, assume proof-of-concept code will surface quickly and treat unpatched version 12 servers as exposed.
