Veeam Patches Critical RCE Flaw in Backup & Replication

Key Takeaways

• CVE-2026-44963 allows remote code execution on domain-joined Veeam backup servers with a 9.4 CVSS score
• Any low-privilege domain user can exploit this flaw in VBR version 12.3.2.4465 and earlier
• Ransomware gangs routinely target Veeam servers to disable recovery options before attacks

The Vulnerability

Veeam released security updates on Tuesday to fix a critical remote code execution vulnerability in its Backup & Replication software. The flaw, tracked as CVE-2026-44963, carries a CVSS v3.1 severity score of 9.4, placing it firmly in the critical category.

WatchTowr security researcher Sina Kheirkhah discovered and reported the vulnerability. It affects VBR version 12.3.2.4465 and all earlier version 12 builds. Veeam fixed the issue in version 12.3.2.4854.

The attack surface is limited but significant. Only Veeam Backup & Replication installations joined to a Windows domain are vulnerable. However, any domain user with low privileges can exploit the flaw to execute code on the backup server.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.”

— Veeam Security Advisory

Version 13.x builds are not affected. Veeam says architectural changes in version 13 eliminated this attack vector.

Why This Matters for Backup Infrastructure

Many organizations have joined their Veeam servers to Windows domains despite the company's long-standing best practices recommending against it. Domain membership makes backup servers easier to manage but expands the attack surface. Any compromised domain account becomes a potential path to the backup infrastructure.

Veeam warned that attackers typically begin reverse-engineering patches as soon as they're released. The window between patch availability and widespread exploitation is often measured in days.

"This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay," the company said in its advisory.

Ransomware Gangs Love Backup Servers

Backup servers are high-value targets for ransomware operators. Attackers have told BleepingComputer directly that they always target Veeam deployments. The logic is straightforward: if you delete or encrypt the backups first, victims have no recovery option except paying the ransom.

CISA has flagged four Veeam Backup & Replication vulnerabilities as actively exploited in attacks over recent years. All four were abused by ransomware gangs.

In November 2024, Sophos X-Ops reported that CVE-2024-40711, another critical VBR RCE flaw, had been weaponized by the Akira, Fog, and Frag ransomware operations. The FIN7 threat group, known for collaborating with Maze, Egregor, Conti, REvil, and BlackBasta, has also targeted VBR security flaws. The Cuba ransomware gang has done the same.

Veeam's products are used by over 550,000 customers worldwide. The company says 82% of Fortune 500 companies and 74% of Global 2,000 firms use its software.

What to Do Now

1. Update to VBR version 12.3.2.4854 or later immediately
2. Consider upgrading to version 13.x, which is not affected by this vulnerability class
3. Review whether your Veeam servers need domain membership, or if workgroup configuration would reduce risk
4. Audit domain user permissions and remove unnecessary accounts
5. Implement network segmentation to isolate backup infrastructure

The sysadmin community on Reddit and HackerNews is debating the domain-joined versus workgroup configuration question again. Many administrators are frustrated by the frequency of high-severity Veeam patches and are re-evaluating physical and logical isolation of their backup repositories.

Frequently Asked Questions

Which Veeam versions are affected by CVE-2026-44963?

Veeam Backup & Replication version 12.3.2.4465 and all earlier version 12 builds are vulnerable. Version 13.x is not affected.

Can this vulnerability be exploited remotely?

Yes, but only by authenticated domain users. Any user with low-privilege domain credentials can exploit it on domain-joined VBR servers.

How do I patch CVE-2026-44963?

Update to Veeam Backup & Replication version 12.3.2.4854 or later. Version 13.x is also unaffected.

Why do ransomware gangs target Veeam servers?

Deleting or encrypting backups before deploying ransomware removes the victim's recovery option, increasing the likelihood of ransom payment.

Should I remove my Veeam server from the domain?

Veeam's best practices recommend against domain membership for backup servers. Workgroup configuration reduces the attack surface but adds management complexity.

Source: BleepingComputer