Critical Vulnerability in Veeam Backup & Replication Allows Remote Code Execution!

High-Risk Vulnerability Discovered in Veeam Backup Systems

Information security specialists have reported the discovery of a serious security vulnerability in Veeam Backup & Replication software. The vulnerability, registered under the identifier CVE-2026-44963, enables Remote Code Execution (RCE) and poses a significant threat to backup management servers used by enterprises and organizations.

As this vulnerability targets backup servers—one of the most critical components of an organization’s information infrastructure—it is considered a serious threat that could be actively exploited by cybercriminals, including ransomware operators.

Vulnerability Description

The CVE-2026-44963 vulnerability was discovered by Sina Kheirkhah, a security researcher at WatchTowr, and responsibly disclosed to the vendor. The vulnerability has been assigned a CVSS v4 score of 9.4, placing it in the Critical severity category.

The most dangerous aspect of this vulnerability is that it does not require high-level administrative privileges to be exploited. The existence of a standard user account authenticated within an Active Directory domain may be sufficient for an attacker to execute arbitrary commands on the backup server.

As a result, an attacker may be able to:

  • Gain control of the backup server;
  • Install malicious software;
  • Modify system configurations;
  • Steal sensitive information;
  • Delete or encrypt backup copies;
  • Conduct further attacks across the network.

Which Systems Are at Risk?

The vulnerability affects only Domain-Joined Veeam Backup Servers connected to an Active Directory environment.

Organizations operating Veeam Backup & Replication in a Workgroup configuration are not affected by this specific vulnerability.

Veeam has long recommended evaluating the security benefits of isolating backup servers from domain infrastructure and using a Workgroup configuration whenever possible. This is because domain environments provide attackers with additional opportunities and expand the potential attack surface.

Affected Versions

The vulnerability affects the following versions of Veeam Backup & Replication:

  • Veeam Backup & Replication 12;
  • Veeam Backup & Replication 12.1;
  • Veeam Backup & Replication 12.2;
  • Veeam Backup & Replication 12.3;
  • Veeam Backup & Replication 12.3.1;
  • Veeam Backup & Replication 12.3.2 (all releases prior to Build 4854).

Additionally, all previous releases within the Version 12 product line should also be considered vulnerable.

Veeam Backup & Replication version 13.x is not affected by this vulnerability due to architectural changes introduced in that release.

Vendor-Provided Remediation

Veeam has released a security update addressing this vulnerability and resolved the issue in Veeam Backup & Replication version 12.3.2.4854.

According to Veeam security experts, once vulnerability fixes are publicly disclosed, threat actors often analyze the patched code to understand the underlying flaw and develop exploit tools targeting systems that have not yet been updated. For this reason, delaying the installation of security updates significantly increases organizational risk.

Recommendations for Organizations

To mitigate the risks associated with this vulnerability, organizations are advised to implement the following measures:

1. Update the Software Immediately

All Veeam Backup & Replication systems should be upgraded to version 12.3.2.4854 or later as soon as possible.

2. Review Domain Configuration

Organizations should verify whether backup servers are joined to an Active Directory domain and, where feasible, consider migrating them to a Workgroup configuration.

3. Audit User Privileges

User accounts with access to Veeam servers should be reviewed, and accounts with unnecessary or excessive privileges should be restricted or removed.

4. Monitor Network Activity

Continuous monitoring should be implemented to detect unusual activity originating from backup infrastructure, including attempts at Lateral Movement, Privilege Escalation, and the execution of unknown commands.

5. Verify Backup Integrity

Existing backup copies should be regularly tested to ensure they remain intact, unmodified, and fully recoverable.

6. Implement Multi-Factor Authentication

Multi-Factor Authentication (MFA) should be enabled for administrative and service accounts to reduce the likelihood of unauthorized access.

CVE-2026-44963 is one of the most critical vulnerabilities discovered in Veeam Backup & Replication, as it enables a standard domain user to execute code remotely on a backup server.

Because backup servers are essential infrastructure components that support business continuity and data protection, the consequences of successful exploitation could be severe.

Organizations using Veeam Backup & Replication are therefore strongly advised to apply security updates immediately, conduct comprehensive configuration audits, and implement appropriate measures to strengthen the security posture of their backup infrastructure.