VEEAM has disclosed a critical remote code execution vulnerability in its Backup & Replication product that lets low‑privilege domain users run arbitrary code on backup servers. The flaw, tracked as CVE-2026-44963 and rated 9.4 on the CVSS v4 scale, was patched in version 12.3.2.4854 and does not affect the 13.x line.
The vulnerability resides in the way the service processes certain RPC calls, allowing an authenticated domain user with only standard privileges to send a specially crafted request that triggers remote code execution. Versions 12.0 through 12.3.1 are vulnerable, while the 13.x release remains unaffected. The issue was assigned a CVSS v4 score of 9.4, reflecting its potential to compromise the integrity and availability of backup infrastructure.
This disclosure follows a similar high‑severity issue, CVE-2025-23121, which Veeam addressed in June 2025 with a CVSS v3 score of 9.9. Both flaws underline the attractiveness of backup systems to threat actors seeking to undermine recovery capabilities.
At present there are no public exploits or observed attacks leveraging CVE-2026-44963 in the wild. However, Veeam warns that proof‑of‑concept code could appear soon after the advisory, and ransomware groups frequently target unpatched backup servers to increase leverage. Organisations should treat the flaw as a priority until systems are updated.
Administrators should upgrade to Veeam Backup & Replication 12.3.2.4854 or later as soon as possible. They should also verify the exact build number of any existing deployment and confirm that the update has been applied successfully. Network‑level controls, such as restricting RPC traffic to trusted subnets, can reduce exposure while the rollout progresses. Enhanced logging and alerts for unusual process creation or privileged account usage on backup hosts will help detect any attempted abuse.
Beyond patching, organisations are advised to review privilege assignments for domain accounts that interact with backup infrastructure, ensuring least‑privilege principles are applied. Multifactor authentication for administrative access and regular integrity checks of backup catalogs add another layer of defence. Staying subscribed to Veeam’s security mailing list will ensure timely notice of any future advisories.