VEEAM has addressed a critical remote code execution (RCE) vulnerability, CVE-2026-44963, impacting Backup & Replication version 12.x, allowing low-privileged domain users to potentially take control of backup servers within an Active Directory domain. The flaw, rated 9.4 on the CVSS v4 scale, was fixed in version 12.3.2.4854 and does not affect version 13.x.
While there are currently no known exploits of this vulnerability in the wild, Veeam warns that attackers may attempt to exploit unpatched versions after the patch is publicly released. Backup systems are attractive targets for ransomware groups due to their critical role in recovery processes. In June 2025, Veeam released a patch for another critical vulnerability, CVE-2025-23121, with a score of 9.9.