Back

Critical RCE Vulnerability in Veeam Backup Exposes Organizations to Attacks

Severity: High (Score: 72.0)

Sources: www.veeam.com, bp.veeam.com, Scworld, www.cve.org, Bleepingcomputer

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: veeam, backup, replication, please, again, later, allows

Summary

Veeam has disclosed a critical vulnerability (CVE-2026-44963) affecting its Backup & Replication software, allowing authenticated domain users to execute remote code on domain-joined backup servers. This flaw impacts versions 12.3.2.4465 and earlier, with a patch available in version 12.3.2.4854. Many organizations have joined their Veeam servers to a Windows domain, contrary to best practices, making them vulnerable to exploitation. Although no active exploitation has been reported, the potential for attackers to develop exploits following the patch release is significant. Ransomware gangs have historically targeted Veeam servers to hinder recovery efforts and steal sensitive data. Veeam's products are widely used, with over 550,000 customers globally, including a large percentage of Fortune 500 companies. Security teams are urged to apply the latest updates immediately to mitigate risks. Key Points: • CVE-2026-44963 allows remote code execution by low-privileged domain users on Veeam servers. • Veeam recommends against joining backup servers to a Windows domain, yet many organizations have done so. • A patch is available in version 12.3.2.4854, but organizations are urged to update immediately to prevent exploitation.

Detailed Analysis

**Impact** Over 550,000 Veeam customers worldwide, including 82% of Fortune 500 and 74% of Global 2000 companies, are affected by this vulnerability. Organizations using Veeam Backup & Replication versions 12.3.2.4465 and earlier with domain-joined backup servers are at risk. Exploitation could lead to unauthorized remote code execution, data theft, lateral movement within networks, and disruption of backup and recovery processes, increasing exposure to ransomware and prolonged operational downtime. No active exploitation has been reported as of now. **Technical Details** The vulnerability, tracked as CVE-2026-44963 (CVSS v4 score 9.4), allows authenticated low-privileged domain users to execute remote code on backup servers running Veeam Backup & Replication 12.x builds prior to 12.3.2.4854. The flaw affects only domain-joined installations and does not impact version 13.x due to architectural changes. Attackers exploit the backup server’s dependency on Active Directory for authentication, enabling privilege escalation and execution of arbitrary code during the post-compromise lateral movement phase. No specific malware or IOCs have been publicly disclosed. **Recommended Response** Apply the security update in Veeam Backup & Replication version 12.3.2.4854 immediately to all affected systems. Avoid joining backup servers to Windows domains where possible, following Veeam’s best practices. Implement multi-factor authentication and segregate backup infrastructure in separate Active Directory forests or workgroups to reduce attack surface. Monitor for unusual domain user activity on backup servers and review logs for signs of unauthorized access or code execution attempts.

Source articles (10)

  • CC-4794 - Veeam Releases Security Advisory for Critical Vulnerability in Backup & Replication — Digital.Nhs.Uk · 2026-06-09
    CVE‑2026‑44963 allows authenticated attackers to execute remote code on Veeam Backup & Replication servers. CVE‑2026‑44963 allows authenticated attackers to execute remote code on Veeam Backup & Repli…
  • Veeam Backup & Replication All prior to 12.3.2.4854 End-of-life versions should be considered vulnerable Note: Any version of 13.x build is unaffected. — www.veeam.com · 2026-06-09
    Malware often targets backups. Protect yours with immutable storage, verified restore points, and clear access controls to ensure resilience under pressure. of orgs experienced at least one malware in…
  • New Veeam vulnerability exposes backup servers to RCE attacks — Bleepingcomputer · 2026-06-09
    Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. The vulnerability…
  • New Veeam vulnerability exposes backup servers to RCE attacks — Bleepingcomputer · 2026-06-09
    Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. The vulnerability…
  • Workgroup Or Domain — bp.veeam.com · 2026-06-09
    Microsoft Active Directory is the heart of the IT infrastructure for nearly every organization. When setting up the Veeam Availability infrastructure keep in mind the principle that a data protection…
  • Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers — Cybersecuritynews · 2026-06-09
    A critical security vulnerability has been disclosed in Veeam Backup & Replication, one of the most widely deployed enterprise backup solutions globally. Tracked as CVE-2026-44963, the flaw enables au…
  • Critical Veeam RCE Flaw Lets Low — Securityaffairs.Co · 2026-06-09
    Veeam addressed a critical RCE vulnerability flaw in Backup & Replication that lets low-privileged domain users take control of backup servers. Veeam has patched a critical remote code execution vulne…
  • Kb4869 — www.veeam.com · 2026-06-09
    Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest Oops! Something went wrong. Please, try again later. Please, try again later. All vulnerabilities docum…
  • Veeam releases security update for critical backup server vulnerability | brief — Scworld · 2026-06-09
    Coverage from Bleeping Computer indicates that Veeam has released security updates to address a critical vulnerability in its Backup & Replication software. This flaw, if exploited, could allow an aut…
  • Status Reserved CVE-2026-44963 — www.cve.org · 2026-06-09

Timeline

  • 2024-09-07 — CVE-2024-40711 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — CVE-2026-44963 published: Veeam disclosed a critical vulnerability allowing remote code execution on backup servers by authenticated domain users.
  • 2026-06-09 — Patch released for Veeam Backup & Replication: Veeam released version 12.3.2.4854 to address the critical RCE vulnerability affecting earlier versions.
  • Recent — Ransomware gangs target Veeam servers: Ransomware groups have historically exploited Veeam vulnerabilities to steal data and disrupt recovery efforts.

CVEs

  • CVE-2024-40711
  • CVE-2026-44963

Related entities

  • FIN7 (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Sophos X-Ops (Platform)
  • Veeam (Platform)
  • Veeam Backup & Replication (Platform)
  • Windows (Platform)
  • WatchTowr (Company)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Akira (Ransomware Group)
  • BlackBasta (Ransomware Group)
  • Conti (Ransomware Group)
  • Cuba Ransomware Gang (Ransomware Group)
  • Egregor (Ransomware Group)
  • Fog (Ransomware Group)
  • Frag (Ransomware Group)
  • Maze (Ransomware Group)
  • REvil (Ransomware Group)
  • Cuba (Country)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed