Veeam backup servers at risk from new RCE vulnerability
▼ Summary
– Veeam released security updates to patch a critical Backup & Replication vulnerability (CVE-2026-44963) allowing remote code execution on domain-joined backup servers.
– The flaw affects Veeam Backup & Replication version 12.3.2.4465 and all earlier version 12 builds, but not version 13.x due to architectural changes.
– Any authenticated low-privilege domain user can exploit this vulnerability, which only impacts installations joined to a domain.
– Although no active exploitation has been reported, Veeam warns attackers often reverse-engineer patches to target unpatched deployments.
– Ransomware gangs frequently target Veeam backup servers to steal data, move within networks, and delete backups, with CISA flagging four VBR flaws as actively exploited.
Veeam has rolled out critical security patches to address a newly disclosed vulnerability in its Backup & Replication software, one that could allow attackers to execute remote code on domain-joined backup servers. The flaw, cataloged as CVE-2026-44963, was discovered by WatchTowr researcher Sina Kheirkhah and impacts Veeam Backup & Replication (VBR) version 12.3.2.4465 and all earlier version 12 builds. The fix is included in version 12.3.2.4854.
The vulnerability can be exploited by any domain user with low-level privileges, but it only affects installations that are joined to a Windows domain. “A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” Veeam stated in an advisory released Tuesday. The company also noted that version 13.x builds are not affected due to architectural changes implemented starting with version 13.
Despite Veeam’s long-standing recommendation against joining backup servers to a domain, many organizations continue to do so, leaving themselves exposed. While there are no confirmed reports of active exploitation, Veeam warned that attackers often begin developing exploits as soon as patches are made public. “Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments,” the company cautioned. “This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”
Veeam backup servers are a frequent target in ransomware attacks. Ransomware gangs have told BleepingComputer that targeting these systems allows them to steal sensitive data, move laterally within breached networks, and delete backups to block recovery efforts. The Cybersecurity and Infrastructure Security Agency (CISA) has flagged four Veeam Backup & Replication flaws as actively exploited in recent years, all of which have been abused by ransomware operations.
In November 2024, Sophos X-Ops reported that groups including Akira, Fog, and Frag had weaponized another critical VBR RCE flaw, CVE-2024-40711. The FIN7 threat group, which has collaborated with Maze, Egregor, Conti, REvil, and BlackBasta, along with the Cuba ransomware gang, have also been linked to attacks exploiting Veeam vulnerabilities.
With over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms, Veeam’s products remain a high-value target. Organizations are urged to apply the latest updates immediately to minimize risk.
(Source: BleepingComputer)