Vulnerabilities

Veeam Patches Critical RCE Flaw That Hands Backup Servers to Domain Users

June 10, 2026 4 min read

Veeam has patched a critical remote code execution vulnerability in Backup & Replication 12.x that allows a low-privilege domain user to take over backup servers without administrator credentials. The flaw is tracked as CVE-2026-44963 and carries a CVSS v4 score of 9.4. Version 13.x is not affected.

BleepingComputer reported the vulnerability on 10 June 2025, describing it as allowing domain users to execute arbitrary code on backup infrastructure remotely. Backup servers are an attractive target, compromising them gives an attacker access to recovery data, credentials stored in backup jobs and in many environments a privileged network path to production systems.

The fix is available now. Organizations running Veeam Backup & Replication 12.x should update to version 12.3.2.4854 immediately.

Why Backup Servers Are the Target Worth Protecting

The attack vector here is what makes this flaw particularly damaging. Exploitation does not require a stolen administrator account or a phishing chain. Any domain user including accounts with minimal privileges can trigger remote code execution against the backup server. In most Active Directory environments, that bar is low enough that an attacker who has compromised a single workstation has a direct path to the backup infrastructure.

Ransomware operators have understood this for years. Deleting or encrypting backups before triggering the main payload is standard procedure for groups that want to maximize leverage. A vulnerability that lets them take over backup servers before the ransom note appears is exactly the capability they look for when selecting targets.

Two additional CVEs were patched in the same release cycle, CVE-2026-21669 and CVE-2026-21670, both also affecting Backup & Replication 12.x. Veeam has not published full technical detail on either CVE at the time of writing. The patch addressing all three is the same update, version 12.3.2.4854.

A Note on the Source Material

The CVE year prefix on CVE-2026-44963 is unusual for a vulnerability disclosed in mid-2025 and the fix version cited in third-party reporting does not match the version numbers in Veeam’s own KB4830 and KB4831 knowledge base articles. KB4831, published by Veeam, documents vulnerabilities resolved in version 13.0.1.2067 while KB4830 covers version 12.3.2.4465. A separate source at Rescana references CVE-2025-59470 in the same product line. It is possible the brief conflates distinct patches issued at different points in 2025. Verify the correct target version against Veeam’s own advisory before applying updates in production.

This is not a reason to delay patching. It is a reason to check Veeam’s KB articles directly rather than relying on third-party version numbers.

Apply the Patch, Then Check for Prior Compromise

Update to the version confirmed by Veeam’s own knowledge base as resolving CVE-2026-44963. Cross-reference against KB4830 and KB4831 before scheduling the maintenance window.

If your Veeam server has been internet-exposed or accessible to untrusted network segments, treat it as potentially compromised before patching. Review authentication logs for lateral movement from low-privilege accounts, check for unexpected scheduled tasks or service installations, and verify backup job integrity before trusting recovery data.

Runzero has published guidance on identifying exposed Veeam instances across an environment, linked in the references below, which is useful for organisations that need to locate all running 12.x deployments before the patch window opens.

No public exploit code has been confirmed at the time of writing, but Veeam vulnerabilities have been weaponised rapidly in previous cycles. CVE-2023-27532, a similarly rated flaw in an older Backup & Replication release, appeared in ransomware campaigns within weeks of disclosure. Waiting for proof-of-concept code to appear publicly before patching is not a reasonable risk calculation here.