A critical security vulnerability has been disclosed in Veeam Backup & Replication, one of the most widely deployed enterprise backup solutions globally.
Tracked as CVE-2026-44963, the flaw enables authenticated domain users to execute arbitrary code remotely on backup servers, posing severe risks to organizations relying on Veeam for data protection and recovery operations.
The vulnerability carries a CVSS v4 score of 9.4, placing it firmly in the critical severity tier. Discovered and reported by security researcher Sina Kheirkhah (@SinSinology) of WatchTowr, CVE-2026-44963 allows remote code execution (RCE) on the Backup Server by any authenticated domain user, a notably low privilege requirement that dramatically widens the attack surface.
Veeam Vulnerability Allows RCE Attacks
Crucially, this vulnerability only impacts domain-joined backup servers. Organizations running Veeam in a workgroup configuration rather than an Active Directory domain environment are not affected by this specific flaw.
Veeam’s own security best practice guidance has long recommended evaluating workgroup versus domain configurations precisely because domain-joined deployments expand the potential attacker pool.
The vulnerability affects Veeam Backup & Replication versions 12 through 12.3.2.4465, and all earlier versions of 12. This encompasses a wide range of deployments across the following major releases:
- Veeam Backup & Replication 12
- Veeam Backup & Replication 12.1
- Veeam Backup & Replication 12.2
- Veeam Backup & Replication 12.3, 12.3.1, and 12.3.2 (prior to build 4854)
Notably, Veeam Backup & Replication version 13.x is not affected due to architectural changes introduced in that release cycle. Unsupported product versions were not formally tested but should be assumed vulnerable.
Veeam has addressed the vulnerability in Veeam Backup & Replication 12.3.2.4854, released June 9, 2026, and available via Veeam KB4696. Organizations should prioritize upgrading immediately.
Veeam explicitly warned that once a vulnerability patch is publicly disclosed, threat actors routinely reverse-engineer the fix to develop exploits targeting unpatched systems.
Given the critical CVSS score and the relatively low bar of “authenticated domain user” access needed to trigger RCE, exploitation attempts against unpatched deployments are highly probable in the near term.
- Upgrade to Veeam Backup & Replication 12.3.2.4854 immediately
- Audit whether backup servers are domain-joined and evaluate migrating to a workgroup configuration per Veeam’s security best practices
- Monitor for suspicious lateral movement or privilege escalation activity originating from backup infrastructure
- Review domain user access controls on all Veeam Backup Server instances
Backup servers are high-value targets for ransomware operators, making rapid patching of CVE-2026-44963 a top remediation priority for enterprise security teams.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
