CVE-2026-44963: scope and severity
Veeam has assigned the flaw the identifier CVE-2026-44963 and given it a CVSS score of 9.4 out of 10.0, marking it as critical. According to the advisory, the vulnerability could permit remote code execution on the Backup Server when an attacker is an authenticated domain user — a notably lower bar than requiring administrative credentials. Veeam's language frames the issue in clear operational terms: authentication within the domain is sufficient for the vulnerability to be exploited to run code remotely.
Affected builds and the patched release 12.3.2.4854
The company said the flaw affects Veeam Backup & Replication 12.3.2.4465 and all earlier builds in the 12 branch. Veeam released a corrected build, 12.3.2.4854, to address the shortcoming. Separately, Veeam noted that version 13.x builds are not affected, a consequence the company attributes to architectural changes introduced in version 13.
Who found it and how it was reported
Veeam credited Sina Kheirkhah of watchTowr for responsibly discovering and reporting the issue. The advisory explicitly acknowledges that the researcher reported the flaw through responsible disclosure channels; Veeam's public notice is the vehicle for sharing both the credit and the technical scope with customers.
Context: March 2026 fixes and prior exploitation
The new patch arrives against a recent backdrop: in March 2026 Veeam resolved multiple critical vulnerabilities in Backup & Replication that, if successfully exploited, could also result in remote code execution. Veeam's advisory underscored the operational urgency of keeping software up to date, noting that prior vulnerabilities in the program have been exploited by bad actors, including ransomware groups. That history is the explicit reason Veeam urged users to update.
What this means for technologists, procurement leaders, and adversaries
- Technologists and security teams: The immediate, actionable fact from Veeam is the availability of build 12.3.2.4854. Teams running affected 12.x builds will weigh deploying the patch versus upgrading to 13.x, which Veeam says is not affected due to architectural changes. Given the advisory's identification of authenticated domain users as the required access level for exploitation, defenders should pay particular attention to internal authentication controls and to patching systems that provide backup-server access.
- Procurement and operations leaders: The advisory tightens the procurement calculus: organizations evaluating or renewing Veeam deployments now have a clear divergence between supported 12.x builds that require patching and 13.x builds that Veeam says are not vulnerable. The company’s public credit for a third-party researcher and its recent string of fixes may influence upgrade timelines and vendor-risk assessments.
- Adversaries and threat actors: Veeam’s acknowledgement that prior Backup & Replication flaws have been exploited by ransomware groups serves as an explicit signal that these components are attractive targets; the new advisory makes the specific capabilities and the required attacker profile — an authenticated domain user — publicly visible, which in turn shapes both defensive prioritization and the potential interest of malicious actors.
Veeam's advisory and the details it contains are straightforward: a critical RCE vulnerability (CVE-2026-44963) affecting 12.x builds, a patch in 12.3.2.4854, and a note that 13.x builds are not affected due to architectural changes. The company also reiterated the practical takeaway it has emphasized before — update to the latest software versions — a message reinforced by the record of prior exploitation by ransomware groups. For organizations relying on Veeam Backup & Replication, the particulars in the advisory make the next steps concrete: verify your build, plan updates to the fixed release or to an unaffected 13.x build, and treat authenticated domain access to backup servers as a high-priority control.
Source: https://thehackernews.com/2026/06/veeam-backup-replication-rce-flaw-lets.html
