Veeam Patches Critical RCE Flaw in Backup & Replication
Key Takeaways
- CVE-2026-44963 allows remote code execution on domain-joined Veeam backup servers with a 9.4 CVSS score
- Any low-privilege domain user can exploit this flaw in VBR version 12.3.2.4465 and earlier
- Ransomware gangs routinely target Veeam servers to disable recovery options before attacks
The Vulnerability
Veeam released security updates on Tuesday to fix a critical remote code execution vulnerability in its Backup & Replication software. The flaw, tracked as CVE-2026-44963, carries a CVSS v3.1 severity score of 9.4, placing it firmly in the critical category.
WatchTowr security researcher Sina Kheirkhah discovered and reported the vulnerability. It affects VBR version 12.3.2.4465 and all earlier version 12 builds. Veeam fixed the issue in version 12.3.2.4854.
The attack surface is limited but significant. Only Veeam Backup & Replication installations joined to a Windows domain are vulnerable. However, any domain user with low privileges can exploit the flaw to execute code on the backup server.
“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.”
— Veeam Security Advisory
Version 13.x builds are not affected. Veeam says architectural changes in version 13 eliminated this attack vector.
Why This Matters for Backup Infrastructure
Many organizations have joined their Veeam servers to Windows domains despite the company's long-standing best practices recommending against it. Domain membership makes backup servers easier to manage but expands the attack surface. Any compromised domain account becomes a potential path to the backup infrastructure.
Veeam warned that attackers typically begin reverse-engineering patches as soon as they're released. The window between patch availability and widespread exploitation is often measured in days.
"This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay," the company said in its advisory.
Ransomware Gangs Love Backup Servers
Backup servers are high-value targets for ransomware operators. Attackers have told BleepingComputer directly that they always target Veeam deployments. The logic is straightforward: if you delete or encrypt the backups first, victims have no recovery option except paying the ransom.
CISA has flagged four Veeam Backup & Replication vulnerabilities as actively exploited in attacks over recent years. All four were abused by ransomware gangs.
In November 2024, Sophos X-Ops reported that CVE-2024-40711, another critical VBR RCE flaw, had been weaponized by the Akira, Fog, and Frag ransomware operations. The FIN7 threat group, known for collaborating with Maze, Egregor, Conti, REvil, and BlackBasta, has also targeted VBR security flaws. The Cuba ransomware gang has done the same.
Veeam's products are used by over 550,000 customers worldwide. The company says 82% of Fortune 500 companies and 74% of Global 2,000 firms use its software.
What to Do Now
- Update to VBR version 12.3.2.4854 or later immediately
- Consider upgrading to version 13.x, which is not affected by this vulnerability class
- Review whether your Veeam servers need domain membership, or if workgroup configuration would reduce risk
- Audit domain user permissions and remove unnecessary accounts
- Implement network segmentation to isolate backup infrastructure
The sysadmin community on Reddit and HackerNews is debating the domain-joined versus workgroup configuration question again. Many administrators are frustrated by the frequency of high-severity Veeam patches and are re-evaluating physical and logical isolation of their backup repositories.
Logicity's Take
Frequently Asked Questions
Which Veeam versions are affected by CVE-2026-44963?
Veeam Backup & Replication version 12.3.2.4465 and all earlier version 12 builds are vulnerable. Version 13.x is not affected.
Can this vulnerability be exploited remotely?
Yes, but only by authenticated domain users. Any user with low-privilege domain credentials can exploit it on domain-joined VBR servers.
How do I patch CVE-2026-44963?
Update to Veeam Backup & Replication version 12.3.2.4854 or later. Version 13.x is also unaffected.
Why do ransomware gangs target Veeam servers?
Deleting or encrypting backups before deploying ransomware removes the victim's recovery option, increasing the likelihood of ransom payment.
Should I remove my Veeam server from the domain?
Veeam's best practices recommend against domain membership for backup servers. Workgroup configuration reduces the attack surface but adds management complexity.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
7 Customer Experience Tools for 2026: From AI-First to All-in-One
Customer experience software has become the front line where brands win or lose loyalty. We tested seven platforms across CRM, support, and research categories to help you pick the right tool for your team's CX stack.
5 Workflow Orchestration Tools for 2026: AI Agents Take Over
Workflow orchestration has evolved from simple if-then automation into a field dominated by autonomous AI agents. Zapier, Make, Workato, n8n, and Microsoft Power Automate now compete on governance, self-hosting options, and how well they let businesses deploy intelligent workflows that can plan, execute, and self-correct.
3 Open-Source Operating Systems Beyond Linux Worth Trying
Linux dominates open-source computing, but it's not the only option. A tech journalist shares three alternatives: /e/OS for degoogled mobile, FreeBSD for Unix purists, and a third option for those wanting freedom without the Linux ecosystem.