"A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in its advisory — tracked as CVE-2026-44963 — exposing a familiar but dangerous target: domain-joined backup servers.
CVE-2026-44963: the flaw, affected builds, and the patch
The vulnerability, reported by WatchTowr security researcher Sina Kheirkhah, affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier builds in the 12.x line. Veeam released a fix in version 12.3.2.4854. According to the vendor, the flaw can be exploited to achieve remote code execution (RCE) on Backup Servers that are joined to a Windows domain.
Veeam also stated plainly that "This vulnerability does not affect any version 13.x build of Veeam Backup & Replication due to architectural changes starting in version 13." The vendor's advisory emphasizes the distinction between domain-joined and non–domain-joined deployments: only the former are affected.
Who can exploit it, and who stands to lose access
Unusually for a critical RCE, the exploit requires only an authenticated domain user with low privileges. That lowers the technical bar for attackers who can obtain or impersonate such credentials. Veeam warned that many organizations have nevertheless joined their Veeam servers to a Windows domain, "ignoring Veeam's long-standing best practices," increasing the number of at-risk deployments.
At the time of the advisory there were no public reports of active exploitation. Veeam cautioned, however, that attackers typically begin developing exploits immediately after patches are published — a pattern the company summarized: "It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software."
Ransomware groups' track record with Veeam Backup & Replication
Backup servers have become a prime target for financially motivated adversaries because successful compromise lets attackers steal sensitive data, move laterally inside breached networks, and obstruct recovery by deleting backups. Ransomware gangs have directly told reporters they "always target Veeam backup servers" for those capabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) has flagged four VBR vulnerabilities as actively exploited in the wild; in November 2024 Sophos X-Ops reported that a critical VBR RCE, CVE-2024-40711, had been weaponized by multiple ransomware operations including Akira, Fog, and Frag. The FIN7 group and the Cuba ransomware gang have also been linked to attacks exploiting VBR security flaws.
What Veeam is urging and what attackers are likely to do next
Veeam's message is direct: update. The company told customers that prompt installation of updates and patches is essential, stressing the likelihood that attackers will reverse-engineer fixes to target unpatched deployments. That explicit warning — and the public availability of the patch — creates a familiar calendar: disclosures and fixes on one side; a race by attackers to weaponize the details on the other.
For users of version 13.x, Veeam noted an architectural change that removes the vulnerability class from those builds, providing a path that some organizations will use to eliminate the risk without remaining on patched 12.x branches.
What this means for security teams, enterprise IT, and regulators
- Security teams and technologists: Expect a swift push to identify domain-joined VBR servers and to assess whether affected builds (12.3.2.4465 and earlier 12.x) are in use. The advisory and the patch release make unpatched systems a likely focus for exploit development.
- Enterprise IT and procurement leaders: The advisory highlights a recurring operational trade-off: convenience of domain-joining versus the vendor-recommended isolation. Many organizations that joined Veeam servers to a Windows domain will now need to weigh the cost and operational impact of patching, upgrading to 12.3.2.4854, or moving to 13.x.
- Policymakers and regulators: CISA's prior flags on VBR flaws and the ongoing attention from multiple ransomware gangs mark this as a persistent supply-chain and infrastructure concern for critical services that depend on backup platforms.
Veeam's global footprint — more than 550,000 customers, including 82% of the Fortune 500 and 74% of the Global 2,000 — means the patch decision will be material for a large number of organizations. With no confirmed exploit yet but with a clear incentive for attackers to reverse-engineer the update, the record from past VBR flaws is instructive: the window between patch disclosure and weaponization is short, and backup servers are high-value targets.
Link to the original report: https://www.bleepingcomputer.com/news/security/new-veeam-vulnerability-exposes-backup-servers-to-rce-attacks/
