A significant security flaw has been identified in Veeam Backup & Replication, a leading enterprise backup platform used worldwide. This vulnerability, cataloged as CVE-2026-44963, permits authenticated domain users to execute arbitrary code remotely on backup servers, creating substantial risks for organizations relying on Veeam for safeguarding their data and ensuring recovery operations.
The flaw has been assigned a CVSS v4 score of 9.4, indicating its critical nature. Reported by security expert Sina Kheirkhah from WatchTowr, the vulnerability allows remote code execution (RCE) by any authenticated domain user, which significantly increases the potential attack surface due to the minimal privilege required.
Impact on Domain-Joined Servers
This vulnerability specifically impacts domain-joined backup servers. Organizations that operate Veeam in a workgroup setup instead of an Active Directory domain environment remain unaffected by this issue. Veeam’s own security guidelines have long advised assessing the differences between workgroup and domain configurations, as domain-joined setups increase the risk of exposure.
The flaw affects Veeam Backup & Replication versions 12 through 12.3.2.4465, as well as all earlier iterations of version 12, covering a broad spectrum of deployments across major releases. However, version 13.x is immune due to architectural modifications in that update cycle.
Patch and Mitigation Strategies
Veeam has rectified this vulnerability in version 12.3.2.4854, released on June 9, 2026, which can be obtained through Veeam KB4696. Immediate upgrades are strongly recommended for organizations to ensure protection. Veeam also cautioned that once a patch is public, threat actors often reverse-engineer it to craft exploits targeting unpatched systems.
Given the critical CVSS score and the relatively low threshold for access required to exploit this vulnerability, unpatched systems are at high risk of attack. Consequently, security teams should act promptly to apply the necessary updates and safeguard their infrastructure.
Recommendations for Security Teams
Organizations should immediately upgrade to Veeam Backup & Replication 12.3.2.4854. Additionally, they should audit backup server configurations to determine if they are domain-joined and consider transitioning to a workgroup setup in line with Veeam’s security best practices. Monitoring for unusual lateral movement or privilege escalation from backup systems is also advised.
Backup servers are lucrative targets for ransomware attackers, thus making the swift patching of CVE-2026-44963 a high priority for enterprise security teams. Ensuring robust access controls for domain users on all Veeam Backup Server instances is critical to minimizing risk.
Stay updated with the latest security news by following us on Google News, LinkedIn, and X.
