A newly discovered deserialization vulnerability, tracked as CVE-2026-44963, affects Veeam Backup & Replication. This vulnerability allows authenticated domain users to execute remote code on backup servers by exploiting weaknesses in the handling of BinaryFormatter.
The issue, detailed by SecureLayer7 Labs, is part of a concerning trend of flaws in Veeam’s .NET Remoting attack surface, where inadequate blacklist-based protections fail to prevent the exploitation of unsafe deserialization methods effectively.
Veeam Backup BinaryFormatter Flaw
Veeam Backup & Replication (VBR) is widely used in enterprise environments for managing backup, replication, and disaster recovery across virtual, physical, and cloud workloads.
The Backup Server acts as the central orchestrator, responsible for storing credentials, managing backup jobs, and coordinating infrastructure. Due to its critical role, ransomware attackers often target the Backup Server, enabling them to delete or tamper with backups before deploying harmful payloads.
The vulnerability exists in the Veeam Backup Service (Veeam.Backup.Service.exe), which exposes a .NET Remoting HTTP endpoint on TCP port 8000 at the /trigger path.
This service processes incoming requests using BinaryFormatter deserialization wrapped in a custom CProxyBinaryFormatter with a RestrictedSerializationBinder configured in FilterByBlacklist mode.
This mechanism does not enforce strict type safety; instead, it only blocks known dangerous classes while implicitly trusting all other serializable types, leading to a structurally insecure design.
CVE-2026-44963 exploits this design flaw by leveraging a previously unlisted [Serializable] class that bypasses the blocklist and triggers code execution during deserialization.

The attack only requires authentication as a low-privilege domain user since the authorization check merely verifies membership in WindowsBuiltInRole.User, a role that includes all domain users by default on domain-joined systems. This lack of privilege separation enables attackers to reach the vulnerable deserialization sink without needing administrative access.
The exploitation chain involves a three-step WCF interaction sequence. First, RestoreJobSessionsDbScopeCreateSession establishes a session context. Next, OpenVbRestoreSession initializes the deserialization environment.
Finally, ExecuteStartAgentSessionTrafficProxy delivers the malicious BinaryFormatter payload, which CProxyBinaryFormatter processes with Deserialize(). The payload exploits a gadget chain rooted in the deserialization of System.Data.DataSet, specifically by abusing the ReadXmlSchema and ReadXml methods to process attacker-controlled XML.
The core of the exploit is the DataSet deserialization constructor, which parses an attacker-supplied XML schema containing a crafted xsi:type reference. This allows the instantiation of arbitrary .NET classes, particularly System.Windows.Data.ObjectDataProvider.
By setting properties such as ObjectInstance, MethodName, and MethodParameters, attackers can invoke Process.Start and execute arbitrary commands under the context of the Veeam Backup Service account, typically running with SYSTEM privileges.
The root cause of this issue is tied to Veeam’s reliance on BinaryFormatter, which Microsoft has deemed obsolete and inherently unsafe since .NET 5.
The blocklist approach is insufficient because it cannot account for all potential gadget classes, particularly DataSet-derived types that expose code-execution vulnerabilities. Each new CVE in this family, including CVE-2024-40711, CVE-2025-23120, and others, follows the same pattern of identifying a new class not included in the blocklist.
Patch analysis of Veeam version 12.3.2.4854 (KB4696) indicates that the fix for CVE-2026-44963 involved simply adding the newly exploited gadget class to the embedded BinaryFormatter.blacklist.txt resource.
No architectural changes were made to eliminate BinaryFormatter or redesign the deserialization pipeline, leaving the broader attack surface intact. In contrast, Veeam version 13.x has removed the BinaryFormatter-based pipeline, making it immune to this vulnerability class.
Security researchers stress that this vulnerability corresponds to CWE-502 (Deserialization of Untrusted Data) and underscores the inherent risks of relying on blacklist-based defenses.
Organizations using Veeam version 12.x are strongly advised to apply patches immediately, restrict network access to TCP port 8000, and consider deploying backup servers in workgroup mode to limit exposure to domain-based authentication.
Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN

